Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security PHP Programming

New PHP Interpreter Finds XSS, Injection Holes 66

Posted by kdawson from the double-edged-sword dept.
rkrishardy writes "A group of researchers from MIT, Stanford, and Syracuse has developed a new program, named 'Ardilla,' which can analyze PHP code for cross-site scripting (XSS) and SQL injection attack vulnerabilities. (Here is the paper, in PDF, and a table of results from scanning six PHP applications.) Ardilla uses a modified Zend interpreter to analyze the code, trace the data, and determine whether the threat is real or not, significantly decreasing false positives." Unfortunately, license issues prevent the tool in its current form from being released as open source.
This discussion has been archived. No new comments can be posted.

New PHP Interpreter Finds XSS, Injection Holes More

New PHP Interpreter Finds XSS, Injection Holes

Comments Filter:

  • Find X? (Score:4, Funny)

    by eldavojohn ( 898314 ) * <eldavojohn@gma[ ]com ['il.' in gap]> on Friday June 19, 2009 @11:27AM (#28390549) Journal

    New PHP Interpreter Findx XSS, Injection Holes

    New PHP Interpreter Finds XSS, Injection Holes

    Fixed it for you.

    Clearly the title was trying to illustrate the PHP interpreter's ability to solve the pythagorean theorem [mit.edu].

  • Not open source? (Score:1, Funny)

    by Anonymous Coward on Friday June 19, 2009 @11:28AM (#28390569)

    it probably hasn't been open sourced because it's full of security holes

  • Already made one (Score:3, Funny)

    by Norsefire ( 1494323 ) * on Friday June 19, 2009 @11:29AM (#28390591) Journal
    And mine is open source:

    open( my $code, '<', @ARGV ) or die 'File not found';
    while( <$code> ) {
    if( /php/i ) {
    print "Exploit found\n";
    }
    }

  • Re:Find X? (Score:5, Funny)

    by eldavojohn ( 898314 ) * <eldavojohn@gma[ ]com ['il.' in gap]> on Friday June 19, 2009 @11:36AM (#28390677) Journal

    Clearly the title was trying to illustrate the PHP interpreter's ability to solve the pythagorean theorem [mit.edu].

    I don't need PHP for that! Besides, the pythagorean theorem doesn't have X, just a, b, and c.

    a^2 + b^2 = c^2

    I see you prefer short, nondescript variable names for your algorithms. I pity the person who has to maintain that bit of code. What is a? What is b? What is c?

    I ascribe to a more Knuth-y self descriptive code and prefer the Pythagorean theorem to look more like:

    sideAdjacentToRightAngle^2 + otherSideAdjacentToRightAngle^2 = sideOppositeRightAngle^2

    Or maybe I'm just being a smartass? It's so hard to tell with developers these days ...

  • You are an awful programmer (Score:2, Funny)

    by Anonymous Coward on Friday June 19, 2009 @11:37AM (#28390695)
    Same program, just in one line, hence easier to understand: perl -nE'say q(Exploit found) if /php/i' *

  • Re:Already made one (Score:2, Funny)

    by BabyDave ( 575083 ) on Friday June 19, 2009 @11:38AM (#28390707)
    /me turns on short_open_tag in php.ini, then cackles maniacally ...

  • Re:Find X? (Score:4, Funny)

    by MillionthMonkey ( 240664 ) on Friday June 19, 2009 @11:56AM (#28390943)

    I ascribe to a more Knuth-y self descriptive code and prefer the Pythagorean theorem to look more like: sideAdjacentToRightAngle^2 + otherSideAdjacentToRightAngle^2 = sideOppositeRightAngle^2 Or maybe I'm just being a smartass? It's so hard to tell with developers these days ...

    Would you want to stare at a wall of code with otherSideAdjacentToRightAngles and sideOppositeRightAngles and sideAdjacentToRightAngles all over the place?

    You could just go all the way and call them II11011I, I1IIOI1I, and II110I1I. At least call one of them "hypotenuse", christ.

  • Re:Find X? (Score:3, Funny)

    by Haeleth ( 414428 ) on Friday June 19, 2009 @02:30PM (#28393131) Journal

    I ascribe to a more Knuth-y self descriptive code and prefer the Pythagorean theorem to look more like:

    sideAdjacentToRightAngle^2 + otherSideAdjacentToRightAngle^2 = sideOppositeRightAngle^2

    Magic constants?! That's dreadful! How am I supposed to know what 2 is for in that code? And, worse, what if you need to change it to something other than 2? You'd have to change it in three places. You might easily forget one and break everything.

Slashdot Top Deals

Today is a good day for information-gathering. Read someone else's mail file.

Close