Month of PHP Bugs
Posted by jericho
Hell hath no fury like a PHP developer scorned…
http://blog.php-security.org/archives/46-Month-of-PHP-bugs.html
During the last months there have been the Month of the Browser bugs and the Month of the Kernel bugs projects that tried to raise awareness for security vulnerabilities in browsers and kernels. After thinking a bit about this I started to wonder if I should not start a Month of PHP bugs somewhen in the first half of 2007. At the PHP conference it was once again claimed that it is not PHP that is insecure but the applications written by novice programmers. While it is true that many PHP applications are written by people with no clue about security it is absolutely not true that PHP is a secure programming language. I think it is necessary to make ALL people aware of this. The plan is therefore to choose one of the 31 day months after January and release everyday a vulnerability in PHP itself. I would like to hear comments from the PHP community about this plan. (Be warned that anonymous rants will be deleted)
To check out the bugs, visit http://www.php-security.org/. I will also be adding comments to this entry pointing out some of the interesting commentary and underlying message behind this effort.
http://www.php-security.org/MOPB/MOPB-01-2007.html
Notes
Because the PHP developers do not want to fix this anymore because it creates problems for companies providing closed source PHP extensions the only potential workaround is to manually change the size of the reference counter in your own PHP. However if you do so you have to recompile all your PHP extensions and cannot use closed source PHP extensions anymore.
http://www.php-security.org/MOPB/MOPB-02-2007.html
Notes
The PHP developers are unwilling to fix this problem. It was brought up a myriad of times in discussions but they wont accept any solution for it.
http://www.php-security.org/MOPB/MOPB-03-2007.html
Notes
Because the PHP developers are unwilling to add hard limits on the depths of PHP arrays there is currently only the possibility to use the Suhosin extension which limits the depth of arrays in the user input or to configure your web application firewall to drop high amounts of ‘[’ in variable names.
http://www.php-security.org/MOPB/MOPB-08-2007.html
Summary
With PHP 4.4.3 a previously fixed bug that was disclosed at the end of October 2005 by the Hardened-PHP Project was reintroduced.
http://www.php-security.org/MOPB/MOPB-09-2007.html
Summary
Since Stefan Esser left the PHP Security Response Team there have been countless of pseudo security fixes to the PHP CVS. With pseudo security fixes we mean replacing safe calls of functions considered unsafe (like strncpy, sprintf) with calls to functions considered more secure (e.g. strlcpy, spprintf).
Unfortunately these changes were done very sloppy and had to be reverted in several places, because they actually broke the underlying code and some user complained about it. There is however a place within the WDDX extension where a buffer overflow was introduced to the code that can be triggered by specially crafted (malformed) WDDX packets.
http://www.php-security.org/MOPB/MOPB-16-2007.html
Notes
In the circles of PHP developers this vulnerability is called a local one, although a lot of applications allow supplying URLs either through URL include vulnerabilities or by design. Examples are avatar upload functions or the Wordpress Pingback code (not in the latest versions