Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Security Expert Resigns

Posted by samzenpus on from the good-day-sir dept.

juct writes "PHP security holes have a name — quite often it was Stefan Esser who found and reported them. Now Esser has quit the PHP security team. He feels that his attempt to make PHP safer "from the inside" is futile. Basic security issues are not addressed sufficiently by the developers. Zeev Suraski, Zend's CTO of course disagrees and urges Stefan to work with the PHP development team instead of working against it. But given the number of remote code execution holes in PHP apps this year, Esser might have a point. And he plans to continue his quest for security holes in PHP. Only that from now on, he will publish them after reasonable time — regardless if a patch is available or not." Update: 10/30 12:57 GMT by KD : Zeev Suraski wrote in to protest: "I'm quoted as if I 'point fingers at inexperienced developers,' and of course, there's no link to that — because it's not true! The two issues — security problems in Web apps written in PHP, and security problems in PHP itself — are two distinct issues. Nobody, including myself, is saying that there are no security problems in PHP — not unlike pretty much any other piece of software. Nobody, I think, argues the fact that there have been many more security problems at the application level, then there were at the language level. I never replied to Stefan's accusations of security problems in PHP saying 'that's bull, it's all the developers' fault,' and I have no intention to do it in the future."

12 of 386 comments (clear)

  1. YAY by phantomcircuit · · Score: 1, Funny

    I for one would like to thank him for the nominal increase in success rates of attacks thanks to him!

    GREAT IDEA!!!!

  2. PHP Security Expert by mrshoe · · Score: 5, Funny
    PHP Security Expert...

    Isn't that an oxymoron?

    --
    There are two types of people in this world: those that categorize other people and those that don't.
    1. Re:PHP Security Expert by Da+Fokka · · Score: 2, Funny

      I know exactly nothing about PHP...
       
      ... I take the utmost care over security and this was the first ever breakin.


      Would you call blindly installing a server side scripting language of which you know nothing 'taking utmost care over security'?

  3. Re:Lemme guess... MySQL is also the best database? by Shads · · Score: 3, Funny

    Any language is only as good as the programmer using it.

    I use a LAMP stack for the most part, many of the security holes in php aren't due to the language itself but the developers of the various webapps.

    That being said, this requires a repost of the ol Adminspotting thang.

    Choose no life. Choose no career. Choose no family.
    Choose a fucking big computer, choose disk arrays the
    size of washing machines, modem racks, CD-ROM writers,
    and electrical coffee makers. Choose no sleep, high
    caffeine and mental insurance. Choose no friends.
    Choose black jeans and matching combat boots. Choose
    chairs for your office in a range of fucking fabrics.
    Choose SMTP and wondering why the fuck you are logged
    on on a sunday morning. Choose sitting in that swivel
    chair looking at mind-numbing, spirit-crushing web sites,
    stuffing fucking junk food into your mouth. Choose
    rotting away at the end of it all, pishing your last in
    some miserable newsgroup, nothing more than an
    embarassment to the selfish, fucked up lusers Gates
    spawned to replace the computer-literate.

    Choose your future.
    Choose to sysadmin.

    --
    Shadus
  4. Open source is the issue by Anonymous Coward · · Score: 3, Funny

    It's widely acknowledged that open source programs are inherently insecure. Whether the cause is the availability of the "internal blueprints", the free-for-all repository commit access, or the rampant theft of patents, one wonders. By contrast, Microsoft's .NET platform, including the widely praised C#, doesn't have this problem. The guarding of the internal source code, the standards-adhering developers, and the rock-solid legality of its software patents gives Microsoft an advantage versus the haphazard "open source" languages like PHP and Java. One wonders if this is a harbinger of future defections in the open source language camp. Speaking as a patent lawyer, I advise all developers to switch to .NET and Microsoft's enterprise-class C#.

  5. XSS by default by Anonymous Coward · · Score: 5, Funny

    When I looked at Zend's introduction to PHP, the first sample PHP program was Hello World, and the second was a cross-site scripting vulnerability. Right, I'm going to trust these people.

  6. Re:As a PHP user.... by Shados · · Score: 3, Funny
    non-thankful "that is a feature, not a bug."
    Oh boy...Microsoft bought out PHP...
  7. Shenanigans! by kahei · · Score: 4, Funny

    Now, PHP came along and billed itself (and in fact was designed)

    I call shenanigans! No way was PHP 'designed'!

    --
    Whence? Hence. Whither? Thither.
  8. If he returns to the PHP after discussions by maroberts · · Score: 3, Funny

    Would a suitable headline be "Goaded, Esser Back"?

    Apologies to Douglas R. Hofstadter

    --

    Donte Alistair Anderson Roberts - hi son!
    Karma: Chameleon

  9. If PGP... by Alioth · · Score: 3, Funny

    If PGP stands for 'Pretty Good Privacy', I wonder if PHP should really stand for 'Pretty Hopeless Privacy'...

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  10. Re:Question from a .NET developer trying to go OSS by I+Like+Pudding · · Score: 2, Funny

    Any time I see a Rails vs. Django comparison, which is quite often, half of the Python users have their nose hiked 90 degrees into the air. They're maybe half as bad as the Lisp community (which rates a full centidijkstra in arrogance). I don't represent this as being scientific fact, but it is exactly what I have observed.

  11. Re:Question from a .NET developer trying to go OSS by I+Like+Pudding · · Score: 2, Funny
    Says a Rails guy...

    The only Rails guy I see routinely mouthing off is DHH. Most of his invective (that I've read) is aimed at Java, though, which is a mitigating factor. J2EE is easy to bash because you'll be right most of the time.