Slashdot Mirror

← Back to Stories (view on slashdot.org)

March To Be Month of PHP Bugs

Posted by kdawson on from the open-season dept.

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

16 of 292 comments (clear)

  1. So, PHP means ? by Rastignac · · Score: 4, Funny

    Public Holes Publication, isn't it ? ;)

    --
    -- Rastignac was here.
    1. Re:So, PHP means ? by Anonymous Coward · · Score: 5, Insightful

      No, PHP is quite insecure. The libraries, the interpreter, and most PHP software are all poorly written.

      And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. There has been some work done in this area, but it's been minimal, and so far ineffective.

      Yes, inexperienced developers probably are responsible for many of the problems. But the more experienced (I would hope) developers of PHP itself need to step up to the plate, and do their part to deal with the problem of inexperienced developers writing poor code. Even if they don't do it in order to offer a better product, they should do it to save the few remaining strands of their reputation.

    2. Re:So, PHP means ? by daeg · · Score: 5, Interesting

      The problem isn't just the coders, it's the fault of the language, too. Sure, you can write fairly secure PHP code, but the language itself does not lend itself to teaching security. It's plainly evident that most features have "ease of use" ahead of "security" -- Register Globals is a prime example. I could have told you from the start that registering variables based on the names of POST/GET values was a Bad Idea(tm). Hell, anyone could have.

      PHP is also forever afraid of breaking backwards compatibility. They probably don't want to scare PHP coders.

      They also have issues around the monolithic nature of PHP. Oh, you want image processing? Recompile PHP! Oh, you need XML processing? Recompile PHP! There is no isolation whatsoever, everything resides in the same namespace.

      I am glad that they are making progress, though. PHP 5 finally brought their OO up to speed (mostly). They finally have a secure, native database connector (PDO) that supports escaped bound parameters. PHP 6 is finally removing some deprecated features.

      That said, I still am weary when I log into a website that holds my personal information and see a ".php" URL.

      (I was a full time PHP developer for about 6 years. Was.)

  2. great... by blantonl · · Score: 5, Informative

    Looks like this will also be "Month-of-me-working-harder-to-make-sure-my-site-i s-patched- and-updated-and-not-exploited-by-script-kiddies"

    --
    Lindsay Blanton
    RadioReference.com
    1. Re:great... by FredDC · · Score: 4, Insightful

      As opposed to "month-of-script-kiddies-working-hard-to-exploit-n on-patched-and-non-updated-websites"?

      --
      09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63
  3. Huh by Anonymous Coward · · Score: 5, Funny

    I thought every month was PHP Bugs month?

  4. Partially surprising by Anonymous Coward · · Score: 5, Insightful

    I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.

  5. For once by Timesprout · · Score: 4, Insightful

    I am actually glad to see one of these xxx month of bugs. Personally I have always thought PHP to be a steaming pile of poorly thought out garbage but there is no denying its popularity despite its flaws. Anything that actually helps the meme 'most php flaws are caused by poor programmers' actually become a reality by improving the core security of the language is therefore to be welcomed.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  6. Install modsecurity by HxBro · · Score: 5, Informative

    I recently installed modsecurity http://www.modsecurity.org/ for apache along with the rules from http://www.gotroot.com/ and it's done a good job of blocking attacks on my server including a lot of the php mail() injection attempts, whilst it has shown up a few false positives like someone posting a message with sql keywords e.g. "select" "from", it is certainly worth installing even if you have to monitor the logs for a bit afterwards to watch for the false positives and alter the rules accordingly.

    Whilst it probably won't solve a lot of the problems with php and security it does help protect the server especially when you don't have control over what your users are uploading to their web space.

  7. Re:even if... by Alphager · · Score: 5, Informative

    He began his crusade when he founded the security-team: He wants a secure PHP. He left the security-team out of frustration that the main devs didn't care about security (leaving security-critical bugs unfixed for ages). This month of PHP-bugs is his effort to put pressure on the devs to finally make security a priority.

  8. Are bugs the problem? by cerelib · · Score: 4, Interesting

    I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code(especially when using the mysql module). Also at fault is the general lack of programming understanding by the amatuers who find their way to PHP because it is so easy to go from having a static HTML page to a dynamic PHP page. Are there a lot of vulnerabilities in the interpreter?

  9. PHP is a disgrace to the open source community. by Anonymous Coward · · Score: 5, Interesting

    It's amazing, but the PHP team are worse than Microsoft ever were with security.

    This is very true. And also very unfortunate. When it comes to many managers, PHP has given the entire open source community a bad name. This is mainly because it has been repeatedly pushed as being part of the LAMP suite, when in fact Python and Perl are far better options for the 'P'. So when you recommend the use of Linux, Apache or MySQL, they automatically think of PHP, and recall how terrible its security is. And then they associate that lack of security with Linux, Apache and MySQL, even when that's not the case!

    If there's one thing the open source community as a whole should do, it should be to disown PHP. Responsible open source developers and projects need to just stop using it for their web sites. It'd be good if more things like this Month of PHP Bugs were held, just to show the public that the OSS community knows that PHP is terrible, and wants to do something about it. The longer we continue to use PHP, the harder it will be to repair the reputation of even completely unrelated (and far more secure) open source projects.

    1. Re:PHP is a disgrace to the open source community. by archen · · Score: 4, Insightful

      The problem with PHP is that it's very easy. One of the supposed advantages of Lamp is that it is also rather easy to set up and work with. I've seen more projects than I would care to, where the programmers couldn't code their way out of a paper bag but managed to accumulate a surprisingly functional mass of PHP spaghetti code. Perl is a good option only if the coders are disciplined, and having good structure is critical for a good Perl project. I don't have any experience with Python, but due to the nature of python language structure, you'll never be able to embed it the way you could with PHP (templates are necessary here as well).

      One of the problems with PHP is the fact that when the bar of entry is so low, you get a lot more low bar people actually coding it. It's become the next generation of VB garbage. The language is only half of the security problem (a half we could better do without, but still).

  10. Wait... by kahei · · Score: 4, Funny


    Only a month?

    Ha ha, yes, thank you, I'll be here all week, bringing predictable yet mildly amusing banter. In fact, I'll be here all year. The whole of my life, probably. *breaks down and cries*

    --
    Whence? Hence. Whither? Thither.
  11. Re:even if... by moranar · · Score: 4, Insightful

    Or maybe, just maybe, on reading the article we'd find he did "fork" PHP, through Hardened-PHP and Suhosin. The wonders never cease.

    --
    "I think it would be a good idea!"
    Gandhi, about Internet Security
  12. Coming in April by bill_mcgonigle · · Score: 4, Funny

    "Month of Shooting Fish In a Barrel"

    At least the Month of Apple Bugs was a hard target to go after.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)