Month of PHP Bugs Has Begun

← Back to Stories (view on slashdot.org)

Posted by Zonk on Saturday March 3, 2007 @06:28AM from the quick-hide-the-furniture dept.

An anonymous reader writes "The previously announced Month of PHP Bugs started three days ago, and already lists 8 security vulnerabilities in PHP and PHP related software. From the site: 'This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability management process used by the PHP Security Response Team.'"

9 of 165 comments (clear)

Min score:

Reason:

Sort:

Defective by Design? by Ckwop · 2007-03-03 06:34 · Score: 4, Interesting

We see a lot of people use the phrase "defective by design" when talking about Vista and in that instance I'm pretty sure the use of the term is correct.

Having never used PHP but heard of its many security problems I'm wondering: Is PHP defective by design? If so, why so and how would Slashdot seek to fix it?

Simon
1. Re:Defective by Design? by julesh · 2007-03-03 06:44 · Score: 5, Informative
  
  Is PHP defective by design?
  
  It was. A lot of work has been done in the last couple of major versions to fix this, but still a lot of installations are crippled in the name of backward compatibility.
  
  Most of what we're seeing here though is just run-of-the-mill sloppy coding. Create a lot of references to a variable and overflow its (16-bit) reference count? Please. That should never have happened.
  
  Fortunately, it seems most of the bugs released so far don't affect the majority of installations. We have a number of 'executing arbitrary PHP code can let somebody own your web server' -- well, most of us don't let random people run arbitrary PHP code anyway. We have some 'deserialising arbitrary data can let somebody own your web server' issues too, but then there has been a long-standing warning that PHP's deserialise function isn't secure anyway, so that shouldn't affect anyone who's been paying attention. We have some issues with the Zend Platform, but I'm not sure how many people have that installed. So far, the only issue to affect me, is the phpinfo XSS vulnerability -- and that just meant I had to delete my phpinfo.php file that I kept in the root of each domain I host.
2. Re:Defective by Design? by julesh · 2007-03-03 07:03 · Score: 4, Interesting
  
  I think PHP has got beyond the stupid-design-flaws-causing-security-issues stage. Now, as you correctly point out, the major issue is endemic insecure programming practices and a lack of attention to bug reports.
  
  How I wish we could just junk the language and start again with something else; unfortunately, market pressures being what they are, I'm afraid we're stuck with it, at least for the time being.
3. Re:Defective by Design? by aaronwormus · 2007-03-03 08:17 · Score: 5, Informative
  
  > I had to delete my phpinfo.php file that I kept in the root of each domain I host.
  
  if you left an open phpinfo() on your server (giving potential attackers access to filepaths, module version numbers, configuration options, apache server configuration options), you have a lot more to worry about than a little XSS.
  
  unfortunatly, you're not alone.
4. Re:Defective by Design? by Dan+Ost · 2007-03-03 08:26 · Score: 4, Insightful
  
  Actually, lots of people have abandoned PHP for Python and Ruby.
  
  It may never completely go away, but there are alternatives to using it.
  
  --
  
  *sigh* back to work...
5. Re:Defective by Design? by nuzak · 2007-03-03 08:50 · Score: 4, Interesting
  
  Done. http://www.caucho.com/resin-3.1/doc/quercus.xtp
  
  --
  Done with slashdot, done with nerds, getting a life.
6. Re:Defective by Design? by arodland · 2007-03-03 09:51 · Score: 4, Funny
  
  Nope. Definitely defective by lack of design.
Re:Parent isn't flamebait by Aladrin · 2007-03-03 07:43 · Score: 4, Interesting

So your webhost won't upgrade, and that's PHP's fault? PHP5 has been out a LONG time. Don't bother complaining about bugs in PHP4 simply because your website can't be bothered to upgrade. Find a decent webhost instead.

strpos() return FALSE when it can't find the 'needle'. http://us2.php.net/strpos Use a proper test (===) and you'll have all you need in a single statement.

Some people really LIKE dynamically-typed variables. It's not a bug or a problem. It's a design choice.

Your flamebait at the end (vbscript) does nothing to enhance your argument. Leave it off next time.

--
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Oh Nose! by FedeLebron · 2007-03-03 08:09 · Score: 4, Funny

"A deep recursion of PHP userland code will exhaust all available stack which leads to a sometimes remotely triggerable crash."

I've found a very similar bug in GLIBC!
int main(){ main(); }
This code will cause a segment violation!

Shock! Gasp! Horror!