Let the PHP FUD War Begin
Cross Virtual Host Cookie Theft A great article that brings across a very interesting point until he makes a sidewipe at PHP and the stream functions, spiraling the article into a one sided attack that might make people think this is limited to php.
The truth however that the self proclaimed "security expert" somehow seems to overlook could be even scarier, What programming lang doesn't have some sort of stream/socket functions, I can do the exact same trick in perl, ruby, C, heck I think even visual basic has enough backbone to pull this "hack".
Does he keep it true to spirit, does he stay on "topic" and discuss the exploit in general?
No instead he goes off into a spiral of comments clearly showing his own personal warped thinking against PHP in general.
Comments like "The difference is that dangerous functions like stream_socket_server() are often NOT disabled, because PHP comes with about a million dangerous functions"
He is correct in his comment "Things like listening to sockets should not be available for normal webservers.", I think clear cut and straight forward input like that is welcome in the security and the php world in general.
Ravid potshots at php that are baseless and without merit however help no one but maybe himself and his own inner piece.
Ok so the latest response is
Ok so the latest response is "Most shared hosting companies would kill you if you try executing arbitrary code on their server"
Every php script out there is "arbitrary" code, I have worked at 4 companies that provide hosting, most hosting companies disallow "background" processes that run outside of apache, cgi, be it perl, php, or even C is rarely looked into unless a resource problem comes up.
Hosting companies do not have time to verify every single script run by a customer.
Take a look at
http://cgi.resourceindex.com/Programs_and_Scripts/C_and_C++/
These are all C and C++ based programs made to be uploaded and run as CGI, your telling me no hosting company will allow any of these to run?
your article does not help either
So, what you suggest to prevent the abuse of this feature?
it's amazing to see how people attempts to discredit Stefan work without any reason. he probably the person that has investigated and fixed most of the PHP secuity issues to the date.
very sad, hopefully some day people can solve their personal differences and start to work together.
I am not the security expert.
I don't know what the answer is, If you notice It's not the article itself I have a issue with its the delivery and focus on php in such a manner that might make people assume because they don't have php installed they are not at risk.
Question from the "Security Expert"
So one of Stefens responses to my post on his blog is the following!
"Additonally you might try to explain to me how you run a C program on a shared hosting servers."
This guy gets paid to give talks on security and he is asking this question?