Monday, July 23, 2007

The benefits of PHP and testing

I have never liked PHP as a language due to the extremely high number of exploits floating around on the web, but recently I found it to be quite useful as a QA tool. My application server is constantly getting hit with bots that are looking for one PHP exploit or another. They range from core PHP attacks on admin functionality, help system, proxy functionality and other random PHP scripts that ship with various versions (most trying to run some shell command). On top of that there are a lot of PHP 3rd party programs (forums, blogs, etc) that either open more holes or re-expose existing ones. I worry about any site running PHP, they are exposing themselves to a lot of support and maintenance hassles.

However, this is good for me. I get so many hits from bots (and sometimes script kiddies) looking for various holes in PHP that the requests are often malformed, formed incorrectly, contain invalid data, etc; not to mention the constant port scans from not so nice scanners that don't always follow TCP/IP standards (but that's all good, more fodder). This constant assault provides ways I can fix unexpected and often incorrect behavior on my server that results from inexperienced web hackers or automated bots.

To be fair, I do get a rare MS exchange hole where the Authorize header is extra long (for IIS) and tries to exploit the mail server hole. I have written my HTTP parser to be quite heavy duty so it's just a blob of data and if it is too long it will be discarded looking for next CRLF (instead of trying to read it into a fixed buffer which is how a lot of buffer overflow attacks are done).

Long live PHP in all of its poorly coded glory.