Recently Exposed PHP Hole's Official Fix Ineffective 240
wiredmikey writes "On Wednesday, a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition. 'When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,' a CERT advisory explains. PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn't actually remove the vulnerability."
Re:And (Score:2, Interesting)
stable
no licensing
great track record
no licensing
flexable
no licensing
modules for everything
no licensing
Re:You shouldn't. Nobody should. (Score:0, Interesting)
This SO hard.
This doesn't even touch on the horrible base code itself that is horribly flawed, errors that will happily continue being processed where any other normal language would scream your face off. (which could get seriously bad when used in exploits)
I think everyone here should have a good hard read of this.
PHP: A fractal of bad design
Long story short, most of the language is inconsistent with respect to most other languages.
Some errors you'd normally expect to be shown in other languages relating to processing data happily continue, no questions asked.
Horrible chains of flags that are dependent on each other that can change program behavior.
Inconsistent variable, array and any other handling of types.
=== is broken. As well as various other operators and access methods ( [] and {} )
Many others.
After using PHP for a while, I would seriously rather use ASP or VB. At least they are consistent. (but don't, really, don't use either)
The language is such a terrible hack of a language.
Use one of the many other far better and robust languages like the ones mentioned in parent.
PHP seriously isn't worth the effort. A language that isn't predictable and requires you to learn a hundred different quirks and hacks is just embarrassing.
Re:Cm'on (Score:5, Interesting)
Re:You shouldn't. Nobody should. (Score:5, Interesting)
Re:And (Score:5, Interesting)
> No licensing
Wrong [php.net]
> stable
This news post is proof that's wrong.
> great track record
Wrong. [veekun.com]
> flexable
About as flexible as your spelling.
> modules for everything .. all in the core API.
This is true. AND THEYRE ALL PART OF THE CORE API! ImageMagick, MySQL (THREE TIMES!), Curl, etc
PHP is a fucking disgrace and a blight on the world and needs to die a fiery death.
(Spend a few minutes reading the url I linked above at veekun.com for a wonderful break won on why PHP is a heinous pile of horseshit.)
Re:You shouldn't. Nobody should. (Score:2, Interesting)