Zeev Suraski Responds to Slashdot Misquote

Quick Links

Firestorms on slashdot.org are common, almost as common as misquotes. What is less common though is a thoughtful response to the situation. Which is what makes Zeev Suraski’s recent blog post interesting.

In a recent article regarding Stefan Esser resigning from the PHP security team, one of the comments, quoting from this article implies that Zeev Suraski, CTO of Zend Technologies, Inc. and a member of the PHP security team, feels that all security issues with PHP applications are caused by inexperienced programmers using the language. (Zeev is more than a few nodes up the org tree from me but yes, its the same Zend that pays my salary)

In his blog post today, Zeev takes issue with the comment giving that impression.

I’ve just been misquoted on Slashdot, as if I said there are no security problems in PHP itself, and that I instead point my finger only at inexperienced developers.

If you read the original article on Heise Security, you’ll see that I have not said anything of the sort. While I hope Slashdot fixes this story, I thought I’d make my stand on this clearer. I believe this is the belief of most others on the security team, but I’m only speaking on behalf of myself and do not represent them.

Zeev goes on to lay out his reasoning for the comments that he did make. Given the sensitivity of the subject matter and the high emotions involved, I won’t try to paraphrase anything, lest I get it wrong and make things worse. I think it’s better if you get it straight from the source.

=C=

Comments

Thursday, December 14, 2006

IT GETS WORSE

1:06PM PST · cyberlot

http://blog.php-security.org/archives/62-Cross-Virtual-Host-Cookie-Theft.html

My favorite line would be the following from the "Security expert"

"Additonally you might try to explain to me how you run a C program on a shared hosting servers."

Before php, there was perl, before perl there was C, I am sure there are still a lot of C programmings chugging along on the web just fine, course for someone so centered on flaming php I guess I can see how he might forget such a thing!

NOT THE CORRECT FORUM

10:50PM PST · aaronwormus

Cyberlot, if you have a problem with someone's blog entry the appropriate place to issue it is in the specific blog entry where they can (and did) defend themselves.

It is not the responsiblity of someone to disclose all possible ways to accomplish a specific attack. In this case Stefan was simply explaining how to use PHP for this attack. I wasn't aware of this and am glad that the technique was brought to my attention.

But I'd agree with you that anyone who does shared hosting and allows users to execute arbitrary c code has more than PHP to worry about.