Slashdot Mirror

← Back to Stories (view on slashdot.org)

March To Be Month of PHP Bugs

Posted by kdawson on from the open-season dept.

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

23 of 292 comments (clear)

  1. even if... by cosmocain · · Score: 3, Insightful

    ...there are that much holes in PHP (which i don't doubt), mr. esser seems to be on a kind of crusade since he left the security response team.

    1. Re:even if... by HBI · · Score: 1, Insightful

      I imagine if he'd written the patches to fix the problems they wouldn't have had any excuse not to accept them.

      This stinks of self-promotion. Calling something a "Month of PHP Bugs" does nothing to improve PHP's reputation. It sounds spiteful, in fact.

      Releasing an exploitable bug every day rather than just writing the code to fix it sounds really lame, too. The people being harassed by this are the people running PHP.

      I bet a lot fewer people will be after this month.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    2. Re:even if... by gmack · · Score: 2, Insightful

      No.. it's a good thing. PHP apps are now the most common means of gaining a remote shell on Linux and as a sysadmin I have to constantly worry about what PHP code some customer installed can allow some attacker to break into my server. PHP allows some things it really shouldn't.. take includes on a variable for instance a few months back we had a machine spewing DoS attempts and the admin in charge of the box couldn't figure out how the attacker got a shell. The culprit? Some programmer used a variable to hold his includes and the attacker simply overrode that variable. Now you can (and we did) blame the programmer for being an idiot but the problem is that a language being sold as "great for anybody to start programming in" should be a lot safer by default I mean really.. what legitimate reason is there for that "feature" in the first place?

    3. Re:even if... by moranar · · Score: 4, Insightful

      Or maybe, just maybe, on reading the article we'd find he did "fork" PHP, through Hardened-PHP and Suhosin. The wonders never cease.

      --
      "I think it would be a good idea!"
      Gandhi, about Internet Security
  2. Re:great... by FredDC · · Score: 4, Insightful

    As opposed to "month-of-script-kiddies-working-hard-to-exploit-n on-patched-and-non-updated-websites"?

    --
    09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63
  3. Partially surprising by Anonymous Coward · · Score: 5, Insightful

    I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.

    1. Re:Partially surprising by Anonymous Coward · · Score: 1, Insightful

      However, to make a claim that the PHP team doesn't care about security is really incorrect, because in their latest versions, including PHP 5 and up, they have addressed the majority of complaints regarding insecure design.

      Well, no. They've hit a couple of the big ones, it's true. But I get the impression that this is to avoid people nagging more than anything; they completely ignore plenty of other design flaws. The only reason you can say that "they addressed the majority of complaints" is because the few things they did manage to fix were so mind-bogglingly bad that everybody was complaining about them.

      But more importantly, security is a property of their processes, not their design. Their processes are terrible. They ignore security reports. They dismiss crashing bugs as "user error". They don't have a release management system that copes with security patches. They did have, but they scrapped it because they were making too many security-only releases! Go ahead, tell me that isn't deliberately ignoring security.

      But you simply cannot claim it is PHP's fault that someone has the power to run exec($_GET['shell_command']).

      I'm not. It's true that there are vast numbers of these types of vulnerability, but a) that doesn't mean there aren't any with PHP itself, and b) some of them are directly caused by language/library misdesign (such as practically every SQL injection attack and most XSS vulnerabilities).

  4. For once by Timesprout · · Score: 4, Insightful

    I am actually glad to see one of these xxx month of bugs. Personally I have always thought PHP to be a steaming pile of poorly thought out garbage but there is no denying its popularity despite its flaws. Anything that actually helps the meme 'most php flaws are caused by poor programmers' actually become a reality by improving the core security of the language is therefore to be welcomed.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
    1. Re:For once by jimicus · · Score: 2, Insightful

      Anything that actually helps the meme 'most php flaws are caused by poor programmers' actually become a reality

      Most flaws in any code are caused by poor programmers. It's possible to write clearly structured, well laid out code in BASIC (no, not visual BASIC, the real thing), as most implementations support things like local variables and procedures. It's just exceptionally rare.

      This is why so many computer science degrees (at least until recently in the UK) used Modula-2 or Pascal as their primary teaching language. Don't for one moment imagine the lecturers thought that these languages would be useful in the real world - the idea was to teach good practise.

    2. Re:For once by rho · · Score: 2, Insightful

      Personally I have always thought PHP to be a steaming pile of poorly thought out garbage but there is no denying its popularity despite its flaws.

      A critical thinker will look at those two clauses and derive some wisdom. PHP is not "poorly thought out", it changes to meet the market's needs. Java was very well thought out, but it's mostly popular with big shops where you can hire a guy for $70,000/year to maintain a tiny little bit of a larger program. PHP is very popular because it allows a single person (or a small group) to make functional applications quickly and easily, with a lot of flexibility.

      --
      Potato chips are a by-yourself food.
  5. Re:great... by bconway · · Score: 2, Insightful

    Well, to be fair, you did choose to use PHP, which is notoriously buggy and insecure.

    --
    Interested in open source engine management for your Subaru?
  6. Re:So, PHP means ? by Dimentox · · Score: 2, Insightful

    Actually PHP is not that insecure.. Its the people who do not know hjow to write code who are insecure. You blame PHP. I blame peole who actually think they can program but are nothing more but scripters. PHP can be secure. If you write it correctly. Think about the script kiddys who use automated perl scripts.. Should perl not be on systems? If you want real security unplug your machine.. it will be safe. Otherwise any machine can be vouln.

    --
    string sig = llGetSig("dimentox"); llSay(0,sig);
  7. Re:great... by kestasjk · · Score: 2, Insightful

    I'm a PHP enthusiast with a few servers running PHP apps, and I say bring it on. If such a small team can look for and find so many bugs I doubt a determined attacker would have much problem anyway.
    I'm sure that after the dust has settled PHP will be more secure than it was, and that can only be a good thing.

    --
    // MD_Update(&m,buf,j);
  8. Re:Your site is likely already compromised. by Anonymous Coward · · Score: 1, Insightful

    With all the effort necessary to set up Xen, strip out unused modules, fuck around with configuration settings, test it all out, etc., etc., it's probably just easier, cheaper and safer to go with something other than PHP.

  9. Re:So, PHP means ? by Anonymous Coward · · Score: 5, Insightful

    No, PHP is quite insecure. The libraries, the interpreter, and most PHP software are all poorly written.

    And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. There has been some work done in this area, but it's been minimal, and so far ineffective.

    Yes, inexperienced developers probably are responsible for many of the problems. But the more experienced (I would hope) developers of PHP itself need to step up to the plate, and do their part to deal with the problem of inexperienced developers writing poor code. Even if they don't do it in order to offer a better product, they should do it to save the few remaining strands of their reputation.

  10. Re:great... by Bastard+of+Subhumani · · Score: 3, Insightful

    If it's so buggy and insecure, why do so many large (and small, like the one I work for) companies have sites that use PHP
    I'm sure there's a fancy Latin name for it, but what you're saying is equivalent to "Eat shit - a billion flies can't be wrong".
    --
    Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
  11. Re:PHP is a disgrace to the open source community. by archen · · Score: 4, Insightful

    The problem with PHP is that it's very easy. One of the supposed advantages of Lamp is that it is also rather easy to set up and work with. I've seen more projects than I would care to, where the programmers couldn't code their way out of a paper bag but managed to accumulate a surprisingly functional mass of PHP spaghetti code. Perl is a good option only if the coders are disciplined, and having good structure is critical for a good Perl project. I don't have any experience with Python, but due to the nature of python language structure, you'll never be able to embed it the way you could with PHP (templates are necessary here as well).

    One of the problems with PHP is the fact that when the bar of entry is so low, you get a lot more low bar people actually coding it. It's become the next generation of VB garbage. The language is only half of the security problem (a half we could better do without, but still).

  12. Hear, hear. by cortana · · Score: 3, Insightful
    An anonymous coward said some time ago,

    When I looked at Zend's introduction to PHP, the first sample PHP program was Hello World, and the second was a cross-site scripting vulnerability.
  13. Re:Are bugs the problem? by poot_rootbeer · · Score: 2, Insightful

    I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code

    Or even more likely, how easy it is to download and run insecure code written by some other lousy programmer. It's not the people who are writing their own CMS systems that are getting haxor'd, it's the people who grabbed a copy of PHPNuke and threw it up there on the 'net.

  14. Re:PHP needs to be fixed in general by julesh · · Score: 2, Insightful

    If he really wants to make a difference, he should fork PHP and really fix up the language and interpreter to his liking.

    Err... he has.

    Sometimes I think people don't read the articles.

    Then I remember I'm reading slashdot.

  15. Re:great... by Bogtha · · Score: 2, Insightful

    people not quoting their SQL properly ... but should the PHP interpreter developers really be held accountable for other peoples' shoddy coding practices?

    In the case of SQL injection attacks, definitely yes. They provide add_slashes(), oh, but wait, that's insecure, so they provided mysql_escape_string() instead. Oh wait, that's insecure too, so they provided mysql_real_escape_string() instead. All the while, ignoring the fact that string concatenation is prone to security problems by its very nature, and ignoring the real solution — bound parameters — for years.

    --
    Bogtha Bogtha Bogtha
  16. Take down the service? by Kelson · · Score: 2, Insightful

    "You mean have to take down the entire service just because it wasn't compiled against this or that library? That's INSANE! What the hell is Linux FOR?"

    Really? Leaving aside the matter of using shared libraries, whenever I've had to add features to PHP it's gone like this:

    1. Configure PHP with new options
    2. Rebuild PHP
    3. Reinstall PHP
    4. service httpd configtest
    5. service httpd restart

    The only actual downtime occurs during step 5, which lasts maybe a second at most. This is Linux after all -- you can run the old version while you're installing the new one.

    Or am I misunderstanding your point?

  17. Re:great... by Anonymous Coward · · Score: 1, Insightful

    Well, a lot of that is because the PHP devs are huge MySQL fanboys, so they limit themselves to what MySQL can do, rather than what better databases do.