Coming in March: Month of PHP bugs

Coming in March: Month of PHP bugs

Summary: Stefan Esser's frustrations with the PHP Security Response Team has boiled over into plans for "month of PHP bugs" project scheduled for March 2007.

TOPICS: Security
Stefan Esser's frustrations with the PHP Security Response Team has boiled over into plans for "month of PHP bugs" project scheduled for March 2007.

Esser, widely regarded as an authority on PHP security issues, plans to make daily disclosures on buffer overflows, double free vulnerabilities and trivial bypass bugs in PHP's protection features as part of a wider goal "to make people and especially the PHP developers aware that bugs in PHP exist."

In an interview with SecurityFocus, the German researcher did not hide his disdain for the way PHP security issues are handled by the open-source group that maintains the Apache-backed project. "PHP has a very bad reputation when it comes to security, which is mostly caused by all the advisories about security holes in PHP applications," he declared, arguing that the situation is inflamed by the PHP Group's insistence on blaming programmers for insecure coding practices.

"Remote File Inclusions, vulnerabilities due to register_globals or other problems within the PHP engine (e.g. zend_hash_del_key_or_index bug) are fully to blame on the PHP language. Unfortunately this kind of thinking is not appreciated by the PHP developers and they continue to claim that PHP is not worse than other languages, and that only badly written PHP applications are the problem. The Month of PHP bugs will show however that a lot of bugs in PHP's own source code exist," Esser added.

Esser's flaw disclosure project will only release information on holes within the code shipped with the default distribution of PHP. "That means we will not disclose holes in extensions that only exist in PECL, while we are sure that those contain vulnerabilities, too. Most of the holes were previously disclosed to the vendor, but not all," he explained.

On some days in March, because of the volume of PHP bugs stockpiled, he said there will be more than one vulnerability disclosed.

"As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed," he argued.

The issue of PHP security has been on the front burner lately, driven mostly by a dramatic rise in exploitable flaws in PHP-based Web applications.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Good! PHP makes "the LAMP stack" look bad

    Linux-Apache-PHP-MySQL. Three reliable, trustworthy workhorses, and a swiss cheese.

    I analyze a fraction of the spam that gets past my defenses each day. Most of it comes from residential consumer MSFT zombies on broadband. Almost all the rest comes from hastily, naively written, overly complex, compromised PHP applications. It seems to be part of the PHP culture. The five minute install through a browser, and you never look back.

    Linux is the OS of choice for low-cost Web hosting, mainly because more people know it than know Net/Open/FreeBSD. There are a lot more domains on shared hosting at giant lowball data centers than anywhere else, and they're on "the LAMP stack," a chain with a weak link.

    Now that these guys are all going to freeware Content Management Systems written (badly, for the most part) in PHP, there are more easily exploited, well connected servers than the spammers know what to do with. And they're harder to block than the residential zombies: you have to spot them one IP address at a time, where you could block the MSFT zombies in swaths of 65 thousand. And people are going to blame "Linux" for it.

    If Month of PHP Bugs gives these guys the kick in the ass they deserve, it will be a grand public service. Might even cut the spam a little. Oh please, fix that stupid borken mail() function.