[Coco] To everyone concerning CoCo3.com damage

William Astle lost at l-w.ca
Fri Nov 23 02:26:05 EST 2007


CoCo Tower wrote:
> WAIT.  Ok, now the user "testing" appears to have
> uploaded the PHP/C99shell.B backdoor script as
> reported by Microsoft OneCare.  How in the heck do the
> powers that be let this stuff happen.  The authors of
> PHP and MySQL have got to get their stuff together.

I do hope that whoever this juvenile is gets caught. It's just
ridiculous. And I agree that the timing indicates a directed attack with
clear malicious intent.

With that said, I do feel the need to point something out. PHP is a
general purpose programming language and, as such, can be used for
malicious purposes and code written in it can be malicious or insecure.
This is the same as any other general purpose language such as C or Perl
or Assembler. The backdoor script mentioned above is harmless if your
system is set up so the server cannot be convinced to execute the file.

MySQL is simply not responsible for anything done by PHP and, again,
it's usually insecure programs that allow MySQL to be "exploited". Not
checking data coming from external sources (including the database
itself) is the biggest culprit there.

It would be much more fair to have said something like: The authors of
applications that use PHP and MySQL have got to get their stuff together.

And before anyone goes about blaming the hosting company for user
uploaded software getting exploited, there is simply no possible way a
web hoster with more than a handful of customers can audit everything
uploaded to the server unless people are willing to pay something like
$10,000 per year for web site hosting. (It takes a lot of time to keep
up to date on every possible security problem users might upload to
their sites.)

-- 
William Astle
finger lost at l-w.ca for further information

Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL++++$ P++ L+++ !E W++ !N w---
!D !M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?



More information about the Coco mailing list