Team Murder No Brain No Headache.


Into The Horrific And Gaping Maw Of All That Code

I bookmarked this Stefan Esser interview a while ago and finally got back to reading it and by reading it I mean that I actually read it closely and didn't just skim and click. I was sidetracked last time by messing around with Suhosin on my local machine just to check it out. By the way, it worked pretty flawlessly for me and without an unreasonable amount of mucking around given that it is intended to bolster security which seems inherently complicated. It also failed to break anything which is a nice surprise when your code is as slapdash and half finished as mine usually is.

The part that I really liked about this interview and Esser's attitude is the balance between technical understanding of things that may cause security problems and the acknowledgement that sometimes those problematic design decisions are based on how best to solve a particular problem without abandoning backward compatibility instead of the stupidity or laziness that so many security folks seem to think is responsible for many of the flaws they find. This is most apparent when he's talking about WordPress:

From my point of view, WordPress is not well designed. This starts for example with the fact that they are escaping all input for the database in the beginning, and later when issuing the queries they just put variables directly into the query. The bug I released (charset conversion SQL injection) would not have been possible if they had chosen the more common design, to escape everything right before it is put into the query. Others might argue that they should better use prepared statements and variable binding, but WordPress has to be compatible with old MySQL databases and PHP installations that do not support this. Another problem of WordPress is that it is sooo user friendly that it spits out detailed error messages when a SQL query fails, such that a potential attacker can gain information about the query.

In any case, it is nice to read an interview where security is the focus of the conversation and I actually take something away from it. Thanks, man.

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.