3 replies on “Unscheduled System Interruption (GSAS.harvard.edu)”

  1. It doesn’t surprise me that a WordPress or Joomla site was hacked. Having tried to grok bits of the WP codebase myself, I can say for a fact that the folks in charge of development don’t really care about web standards, security or maintainability (which, when you think about it, are all intimately related). There have been too many [serious] security vulnerabilities in WP, and most popular PHP software as a whole. In fact, PHP actively encourages dangerous programming practices, simply because it’s quicker to write (excluding time spent rebuilding the system after a break-in). And just this week I ran across this gem: How not to do XML.

  2. Nonsense. It’s a set of facts that some people don’t want to hear, and something I’ve been saying for a while. PHP actively encourages dangerous programming practices, and WordPress does lots of things that makes it even worse (look at how easy it is to just download a plugin or theme from the web and plop it in place; instantly the install is running some random code that has complete access to the internals of the system). Sure, it’s convenient (that’s why PHP is popular) but that doesn’t mean it’s secure.

    We have a management/auditing webapp that is distributed with the solution we sell. You would be hard pressed to find an XSS exploit (admittedly not something you can use to directly take over a server, but terribly common) since we use XSLT for the view, an SQL injection attack (we use JDBC’s bind variables and Hibernate’s ORM, making that basically impossible) or some sort of untrusted code injection attack (Java doesn’t have an eval statement and there’s simply no way to run external code). I’m not saying Java is the best language for the web, and I’m not saying that there aren’t security issues with our webapp (we don’t know of any, if there were any they would be fixed immediately). I’m saying that there are languages and programming methodologies that try very hard to be secure. Then there’s PHP which thwarts that for a little convenience.

Comments are closed.