[gtsteve]

> PHP allows incompetent programmers to create insecure websites.

The points you bring up are good but my first instinct was to distrust you as you opened with that. I don't believe any specific shortcoming of PHP makes these issues more or less likely. Anyone can make an insecure website in any language.

Secondly I don't think I quite agree with the ethics of dropping a security vulnerability in a public forum. I think you should edit this message to remove the details and go through the proper channels to get this resolved, if it is indeed still a problem.

[Nextgrid]

Bare PHP (without any framework) and the tons of bad advice surrounding it make it easier to screw up than other languages where it's very hard to do web development without a framework so most beginners start off with a framework directly which provides structure and guard-rails against doing insecure things.

[fragmede]

I mean, you're not wrong, but starting the post off by insulting PHP is childish and doesn't inspire trust that the rest of the report is worth reading.

[fragmede]

Personally, the ethics of it are secondary to the fact that BambooHR could, sue HN to recover the IP address guessmyname used to post, followed by suing their ISP to get an address, and then trawl through their records/backups to link it to an individual. Now, BambooHR may not be run by assholes (I've never encountered them before), and choose to fix the bug quietly rather than go after "guessmyname" with a lawsuit, but companies are not known for being especially insightful when computer security comes up. (Such as the HipChat example mentioned.)

Hopefully guessmyname always uses VPN/public hotspot to access this site, if it turns out that BambooHR is run by litigious jerks.