loading...
re: I would be curious to know the details of this security issue you spent hours on, and why the same mistakes couldn't have been made in NodeJS. In ...
 

In short,

<?php

require($_GET['template_name']);

Of course that was hidden over several layers of call stack so it was not so obvious, and the hours were mostly spent making an assessment of the server to know if anybody used it.

I'm not particularly fan of NodeJS but it's just that this kind of mistakes are super-easy to make in PHP despite all the goodwill of frameworks.

My problem with PHP is that the PRNG is unsafe, the way weak typing works is unsafe, the absence of unicode handling is unsafe, the fact that PHP is a templating language is unsafe, the silent failures are unsafe, ... Everything in PHP is unsafe.

It's just an example within an ocean but let's compare JS and PHP on weak typing.

if (0 == "bonjour") {
    // Will be reached in PHP but not in JS
}

By converting strings to integers and not the opposite, the typing system removes information and possibly creates security issues (this specific thing was used in phpBB to become administrator by modifying your session ID).

Of course you can ban == in your code but what about dependencies? What about some things in the standard library which will keep on doing == instead of === because it's more within the philosophy of PHP?

Of course NPM is not perfect and there is tons of flaws in it but the fact is that PHP is fucking terrifying.

JavaScript has numerous similar oddities, that could lead to unwanted behaviour when the code is written by someone who doesn't know the language:

medium.com/@daffl/javascript-the-w...

In what language is it a good practice to compare a string to 0 in order to prove that it's empty or null anyway?

I agree that PHP is weakly typed, but the main issue here is the developer. I work with PHP developers and no one writes this kind of code.

PHP's reputation is mainly due to the fact that in the past many php softwares were written by script kiddies. People I hear dismissing PHP as a whole have no experience of modern PHP development.

JS is a good comparison because it's a really strong amateur language as well. And I'm not saying that it has no issues but rather that PHP makes very dangerous things very easy to do.

Of course, PHP improved a lot and many low-hanging fruits have been fixed. However let's have a look at this security issue form phpBB back in 2005. Yes it's old and yes a linter would fix it. But if someone wrote that code today the issue would still be there.

If you take the code, it goes like this (in short):

$sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();

$auto_login_key = $userdata['user_password'];

if( $sessiondata['autologinid'] == $auto_login_key )
{
    // You're admin
}

So yes the stripslashes() is a funny reminder of a time that is actually over since PHP managed to get rid of magic_quote_gpc but that's not the point.

Some raw data from the user goes through unserialize(). Which means that $sessiondata['autologinid'] is from any type that the user deems. On the other hand, $auto_login_key is a string.

To answer your question, who would compare 0 to a string? Well, some hacker using unforseen side-effects in some code that looks very reasonable otherwise. Putting 0 in autologinid is equivalent to writing:

// Before implicit cast
if( 0 == "somekey" )

// After implicit cast
if ( 0 == 0 )

You're going to tell me that now we have JSON and frameworks and many wonders that help us not do this kind of things. But if you never saw a junior write a $_GET in some Laravel/Symfony code then you have not been looking. And the same goes for all protections brought by these frameworks, they are just too easy to bypass.

Now to be honest I don't like PHP and I don't like JS (especially on the back-end) so that's really more of an anti-PHP argument than a pro-Node one.

Code of Conduct Report abuse