Comment Re:Browsers getting too complex (Score 1) 237
Except vanilla html5/javascript won't let you touch the filesystem other than to load files (you can with extensions or using some other method like PHP). That makes it difficult to design an exploit as well as create a safety sandbox for the program itself. Flash is essentially an OS, so exploiting it makes exploiting the machine much easier. I've been hacked so many times with PHP vulnerabilities I've stopped using it and use my own coded CGI calls for file access.
Speaking of CGI, CGI's been around since 1993 and has pretty much all the vulnerabilities of whatever application it calls. I've used it for some strange stuff - kick of a csh, run a program that takes specifically (and well parsed) text as input and then elevate itself to root to load it as a crontab, run perl scripts, start a terminal on the web server as root when I didn't have root (exploited a root vulnerability and placed my little password protected file there, and then created a way to start it from my web browser - that eventually broke when my computer was refreshed and the hard coded DISPLAY was wrong), etc.