March To Be Month of PHP Bugs

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

We audited PHP for some of our projects.

As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before.

Only 20?! We recently audited several versions of PHP for a project we are developing at work. We didn't have high expectations of it going in. I mean, we were all aware that it has a fairly poor security record, but we had heard that there had been improvements recently, so we gave it a shot. Damn, did it fail badly.

I think the one word that describes it best is "shitty". The semantics of the language are shitty. The standard libraries are shitty. The database interfacing support is shitty. The interpreter is shitty. The performance is shitty. Most of the web apps written using it were absolutely shitty.

We decided to go with Django instead. At least Python is a sensible language, with a well-developed standard library modules, and a high-quality implementation. It's easy to see that Python was developed by people who had some background in programming language theory, as well as in real-world software development. PHP, on the other hand, seems like it was thrown together by a bunch of kids. It does not appear that much thought, if any, went into actually designing it. Maybe that's why it suffers from so many security flaws.

PHP Fan-Boys like NeoCons Calling Dems Traitors

[SimHacker]

I blame the PHP apologists and evangelizing fan-boys like you, who encourage and recruit naive developers and sloppy programmers to use PHP. To paraphrase John Stewart to Tucker Carlson: STOP EVANGELIZING AND MAKING EXCUSES FOR PHP, YOU ARE HURTING THE INTERNET!

You're no better than the NeoCon fan-boys like Anne Coulter and Bill Kristol, who lied and lied to get us into a horrible war, and now blame the Democrats who were elected by the voters to get us out of the war, and call them traitors who should be hanged. You should be ashamed of yourself.

-Don