Slashdot Mirror
March To Be Month of PHP Bugs
PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."
I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code(especially when using the mysql module). Also at fault is the general lack of programming understanding by the amatuers who find their way to PHP because it is so easy to go from having a static HTML page to a dynamic PHP page. Are there a lot of vulnerabilities in the interpreter?
It's amazing, but the PHP team are worse than Microsoft ever were with security.
This is very true. And also very unfortunate. When it comes to many managers, PHP has given the entire open source community a bad name. This is mainly because it has been repeatedly pushed as being part of the LAMP suite, when in fact Python and Perl are far better options for the 'P'. So when you recommend the use of Linux, Apache or MySQL, they automatically think of PHP, and recall how terrible its security is. And then they associate that lack of security with Linux, Apache and MySQL, even when that's not the case!
If there's one thing the open source community as a whole should do, it should be to disown PHP. Responsible open source developers and projects need to just stop using it for their web sites. It'd be good if more things like this Month of PHP Bugs were held, just to show the public that the OSS community knows that PHP is terrible, and wants to do something about it. The longer we continue to use PHP, the harder it will be to repair the reputation of even completely unrelated (and far more secure) open source projects.
The problem isn't just the coders, it's the fault of the language, too. Sure, you can write fairly secure PHP code, but the language itself does not lend itself to teaching security. It's plainly evident that most features have "ease of use" ahead of "security" -- Register Globals is a prime example. I could have told you from the start that registering variables based on the names of POST/GET values was a Bad Idea(tm). Hell, anyone could have.
PHP is also forever afraid of breaking backwards compatibility. They probably don't want to scare PHP coders.
They also have issues around the monolithic nature of PHP. Oh, you want image processing? Recompile PHP! Oh, you need XML processing? Recompile PHP! There is no isolation whatsoever, everything resides in the same namespace.
I am glad that they are making progress, though. PHP 5 finally brought their OO up to speed (mostly). They finally have a secure, native database connector (PDO) that supports escaped bound parameters. PHP 6 is finally removing some deprecated features.
That said, I still am weary when I log into a website that holds my personal information and see a ".php" URL.
(I was a full time PHP developer for about 6 years. Was.)
I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.
I'm not surprised. Their attitude to bug reports in general is pretty hostile. See, for instance, this report of a segmentation fault bug.
You are correct, but that doesn't make net irritants that are permitted by insecure setups any less irritating. One of the biggest problems that come to mind are shared web hosting providers who have no choice but to run php 'wide open' allowing almost all functionality and without the benefit of phpsuexec to find what sites they host are letting the bots in.
They have no control or knowledge of what people upload. Someone could upload a 2 year old copy of phpBB they had on CD, not knowing any better and now you have a gigabit connected spam cannon hurling garbage at the rest of us.
I'm not saying its *just* shared hosts that (help to) give PHP the reputation its been getting, but they are a major contributor. Some take proactive measures to try and at least curtail it, most do not.
Its going to be a 'fun' month for those of us who have to deal with abuse issues. That is more than certain. I think I speak for many when I say : "Aww, SHIT."
"At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical."
Maybe. But to take more than 31 bugs and disclose them a day at a time so that in effect major web-facing infrastructure for big business and home users alike will have no chance at all of being secured during this entire window, all for the purposes of publicity?
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
I'm not sure if perl itself is a bug, or the greatest programing language ever written?
Sort of like c. Buffer overflows are easy and common. Are those security vulnerabilities? I'd like to see month of c bugs where they just list things like strcpy, malloc, free, and any statement that has a * in it.
There are many reasons that add_slashes is insecure, and if you think about it, you should be able to come up with a few yourself. Have you ever heard of Unicode? Do you really know what the quoting conventions of your database are, or are you just assuming that add_slashes somehow magically does? Have you even bothered to use google or read any of the many security articles about PHP? Obviously not. And the same goes for so many other PHP developers. They need training wheels and adult supervision, otherwise they wouldn't have made such a horrible decision to use PHP in the first place.
The issue is that PHP has many functions and mis-features like magic_quotes_gps that pretend to give you some level of security but ACTUALLY DON'T, combined with the fact that there are a lot of naive and sloppy programmers out there like you, who have no idea what the issues are, and have never bothered to think about them or even look them up on the internet. The problems are WELL DOCUMENTED AND WIDELY DISCUSSED. You have no excuse for not knowing them. You can use google as well as anybody, and educate yourself, but you choose not to.
But it's wrong to blame the ignorant sloppy application developers, when the language actually offers them up so many false non-solutions and dangerous pitfalls. It ENCOURAGES ignorant developers to make mistakes. Why didn't they remove add_slashes, magic_quotes_gpc, and all those other horrible bugs a long time ago, instead of leaving them in there to temp ignorant people into use them? The design of the PHP language and libraries and the attitude of the PHP development team is the core of the problem that causes sloppy application developers to make so many mistakes.
-Don
Take a look and feel free: http://www.PieMenu.com
Well then those hosting companies should quit selling $1.99/mo hosting plans to idiots.
I'm sick of this anti-darwinian modernism where you have to kiss ass to the dumbest man on the planet or get sued into oblivion. It used to be, if you wanted to write code, you had to be a programmer. I don't care how easy they make coding, if you're not a programmer then you're gonna have to find one and pay them to do it right. It's not the hosting company's fault if you're trying to do something that's way above your head.
-Billco, Fnarg.com
If you're a programmer and you don't see huge problems with both the design of PHP itself and the standard library you should just quit now and find another hobby/profession.
I'm a programmer. I work with PHP. I see a hell of a lot of problems with its design and implementation. Am I ready to dump it and switch to something better? You bet. I've been waiting for the chance for the last 5 years or more.
Can I actually do this?
No. The marketplace is such that if I implement my solutions in any other environment, I'm cutting myself out of large chunks of the market simply because people might choose a hosting provider that doesn't support whatever alternative language I choose to use.