[update] Month of PHP Bugs
Posted by jericho
I previously blogged about the Month of PHP Bugs [MOPB], an effort lead by Stefan Esser and the Hardened PHP Project to raise awareness about vulnerabilities in the PHP language. The month has come and passed and of course I have to wonder about a few things.
The project ended up releasing 45 vulnerabilities over 31 days, many of them remotely exploitable. For anyone that was under the delusion that PHP was “pretty secure”, think again. Not only were some remote, many were methods for bypassing the native protection methods PHP offers like open_basedir or issues with various functions designed to filter bad input.
These “Month of X Bugs” always get a press blitz before it happens, but we rarely see the same news outlets cover the same thing a month later. It’s nice to see the results of the project, the number and type of vulnerabilities as well as any insights (see comments on previous blog post) the developers had.
The PHP project thankfully responded to many of these vulnerabilities already. PHP 5.2.1 and 4.4.5 fix a lot of security issues. Oh wait, that was released two weeks before the MOPB. Where is the next big release that fixes the unpatched issues?
All in all, a very impressive effort. Esser and the Hardened PHP Project have certainly raised the bar for the “Month of X Bugs” projects.
OSVDB has entries for each vulnerability reported. For a concise list, use the search page, put “MOPB” without quotes in the ‘reference’ field.
May I also recommend Jeff Forristal’s writeup on the same in his new blog? http://portal.spidynamics.com/blogs/jeff/archive/2007/04/03/The-current-state-of-PHP-security-2800w2F00-MOPB-full-review2900.aspx
Ask and you shall receive?
http://www.arnnet.com.au/index.php/id;1395934823;fp;16;fpid;1
By Howard Dahdah 10 April, 2007
PHP bug hunter Stefan Esser says he feels vindicated after his successful Month of PHP Bugs project which ran through March.
[..]