PHP vs. Python/comp.lang.php?
Fredrik Lundh
fredrik at pythonware.com
Fri Nov 23 12:02:02 EST 2001
Suchandra Thapa wrote:
> However, PHP has some fairly large flaws in comparision to python.
if I'm to believe the following paper, "fairly large" is one
huge understatement:
http://www.securereality.com.au/studyinscarlet.txt
... a remote attacker can create any variable they wish
and have it declared in the global namespace ... they
can modify the start of the path ... PHP will make a HTTP
request to evilhost, retrieve the attackers code and
execute it ... this attack can be used to expose the
contents of all sorts of sensitive files ... the attacker
can simply upload the attack tools, have them saved
by PHP then use their code execution ability to chmod()
the file and execute it ...
but maybe it isn't quite as bad as he makes it sound?
</F>
More information about the Python-list
mailing list