Nathan's Lucubrations

Many moons ago, I remember reading a very insightful screed against a language that should have been put to pasture long ago: PHP. I guffawed, shook my head and smiled smugly that at least I wasn't using PHP.

Until my webmail (written in PHP) got hacked into. PHP would be a nightmare we could all wake up from, if there wasn't so much software written in it.

And then today, I get an email, announcing that yet again, they've found more security holes in PHP. Not just one hole, but many; here's the list:

• paths containing a NUL character improperly handled, thus allowing an attacker to manipulate unexpected files on the server.
• integer overflow flaw leading to a heap-based buffer overflow in PHP's FTP extension, when parsing listings in FTP server responses. This could lead to a a crash or execution of arbitrary code.
• A denial of service through a crash could be caused by a segfault in the php_pgsql_meta_data function.
• PHP could crash when processing an invalid phar file, thus leading to a denial of service.
• buffer overflow in the phar_fix_filepath function, that could causes a crash or execution of arbitrary code.
• problem in the unserialization of some items, that could lead to arbitrary code execution.
• phar extension improperly handled zip archives with relative paths, which would allow an attacker to overwrite files outside of the destination directory.
• several use-after-free vulnerabilities that could lead to arbitrary code execution.

Welcome to PHP, where NUL terminating your strings will allow an attacker to overwrite files on your server, and attackers have no end of options for arbitrarily executing code!

It's like sendmail and bind - they've had their use, seen their heyday, but anyone with a lick of sense and competence in the field knows that they're so full of holes you don't use them without a team of at least 10 admins. Meanwhile, qmail and djbdns work just fine for multiple domains being run by one guy on absolutely minimal time (something like 1/8 of full time job).

Seriously, though, this is a call to arms, a call to war even: a war on PHP. Developers, stop writing PHP. Admins, remove PHP from your systems, dev seats and servers included. Hosting providers, stop supporting PHP and instead setup something better like Python or Perl instead. The line must be drawn here, no further. This has to end now. For the good of all humanity, please make it stop!