Slashdot Mirror

← Back to Stories (view on slashdot.org)

March To Be Month of PHP Bugs

Posted by kdawson on from the open-season dept.

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

3 of 292 comments (clear)

  1. Re:So, PHP means ? by TheNinjaroach · · Score: 1, Flamebait

    And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. Bullshit. Don't start cramming requirements down my language because you want to protect every idiot who won't spend the time to learn it properly.
    --
    I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
  2. Pot calling the kettle black by SimHacker · · Score: 0, Flamebait

    You wouldn't be using PHP if you weren't an idiot yourself, so shut up with calling other PHP developers idiots, and blaming them for the problem. If you were such a great programmer, you would know better, and you wouldn't be using PHP in the first place.

    -Don

    --
    Take a look and feel free: http://www.PieMenu.com
  3. Why was register_globals there in the first place? by SimHacker · · Score: 0, Flamebait

    Can you please explain why register_globals was there in the first place? The reason is that PHP was designed by idiots, pure and simple. It should have never existed, not as an option, and especially not as a default setting. The same goes for magic_quotes_gpc and its ilk.

    Face it: PHP is a horribly designed language from the core to its extremities, and you can't knickle-and-dime security issues as you discover them. The PHP development team's attitude just makes it much much much much worse. You're an idiot to trust them, and a danger to the Internet if you apologize for PHP, make excuses, and continue to evangelize and recruite naive developers.

    -Don

    --
    Take a look and feel free: http://www.PieMenu.com