Slashdot Mirror

← Back to Stories (view on slashdot.org)

March To Be Month of PHP Bugs

Posted by kdawson on from the open-season dept.

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

3 of 292 comments (clear)

  1. great... by blantonl · · Score: 5, Informative

    Looks like this will also be "Month-of-me-working-harder-to-make-sure-my-site-i s-patched- and-updated-and-not-exploited-by-script-kiddies"

    --
    Lindsay Blanton
    RadioReference.com
  2. Install modsecurity by HxBro · · Score: 5, Informative

    I recently installed modsecurity http://www.modsecurity.org/ for apache along with the rules from http://www.gotroot.com/ and it's done a good job of blocking attacks on my server including a lot of the php mail() injection attempts, whilst it has shown up a few false positives like someone posting a message with sql keywords e.g. "select" "from", it is certainly worth installing even if you have to monitor the logs for a bit afterwards to watch for the false positives and alter the rules accordingly.

    Whilst it probably won't solve a lot of the problems with php and security it does help protect the server especially when you don't have control over what your users are uploading to their web space.

  3. Re:even if... by Alphager · · Score: 5, Informative

    He began his crusade when he founded the security-team: He wants a secure PHP. He left the security-team out of frustration that the main devs didn't care about security (leaving security-critical bugs unfixed for ages). This month of PHP-bugs is his effort to put pressure on the devs to finally make security a priority.