March To Be Month of PHP Bugs

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

Are bugs the problem?

[cerelib]

I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code(especially when using the mysql module). Also at fault is the general lack of programming understanding by the amatuers who find their way to PHP because it is so easy to go from having a static HTML page to a dynamic PHP page. Are there a lot of vulnerabilities in the interpreter?

PHP is a disgrace to the open source community.

It's amazing, but the PHP team are worse than Microsoft ever were with security.

This is very true. And also very unfortunate. When it comes to many managers, PHP has given the entire open source community a bad name. This is mainly because it has been repeatedly pushed as being part of the LAMP suite, when in fact Python and Perl are far better options for the 'P'. So when you recommend the use of Linux, Apache or MySQL, they automatically think of PHP, and recall how terrible its security is. And then they associate that lack of security with Linux, Apache and MySQL, even when that's not the case!

If there's one thing the open source community as a whole should do, it should be to disown PHP. Responsible open source developers and projects need to just stop using it for their web sites. It'd be good if more things like this Month of PHP Bugs were held, just to show the public that the OSS community knows that PHP is terrible, and wants to do something about it. The longer we continue to use PHP, the harder it will be to repair the reputation of even completely unrelated (and far more secure) open source projects.

Re:So, PHP means ?

[daeg]

The problem isn't just the coders, it's the fault of the language, too. Sure, you can write fairly secure PHP code, but the language itself does not lend itself to teaching security. It's plainly evident that most features have "ease of use" ahead of "security" -- Register Globals is a prime example. I could have told you from the start that registering variables based on the names of POST/GET values was a Bad Idea(tm). Hell, anyone could have.

PHP is also forever afraid of breaking backwards compatibility. They probably don't want to scare PHP coders.

They also have issues around the monolithic nature of PHP. Oh, you want image processing? Recompile PHP! Oh, you need XML processing? Recompile PHP! There is no isolation whatsoever, everything resides in the same namespace.

I am glad that they are making progress, though. PHP 5 finally brought their OO up to speed (mostly). They finally have a secure, native database connector (PDO) that supports escaped bound parameters. PHP 6 is finally removing some deprecated features.

That said, I still am weary when I log into a website that holds my personal information and see a ".php" URL.

(I was a full time PHP developer for about 6 years. Was.)

Re:Pot calling the kettle black

[julesh]

If you're a programmer and you don't see huge problems with both the design of PHP itself and the standard library you should just quit now and find another hobby/profession.

I'm a programmer. I work with PHP. I see a hell of a lot of problems with its design and implementation. Am I ready to dump it and switch to something better? You bet. I've been waiting for the chance for the last 5 years or more.

Can I actually do this?

No. The marketplace is such that if I implement my solutions in any other environment, I'm cutting myself out of large chunks of the market simply because people might choose a hosting provider that doesn't support whatever alternative language I choose to use.