Month of PHP Bugs Begins

Month of PHP Bugs Begins

Daniel Fleshbourne on 02 March 2007 - 18:18 · 5 comments & 2037 views

Advertisement (Why?)

Security expert Stefan Esser has declared war on vulnerabilities in the PHP core with the "Month of PHP Bugs." PHP is an open-source HTML embedded scripting language used to create dynamic Web pages. The month-long effort is an attempt to improve the security of PHP, Esser said in a post on his Web site. It follows his contentious departure in December from the PHP Security Response Team, which he founded, after he accused The PHP Group of being too slow to fix problems.

Esser stressed, however, that he is not striking back at his old colleagues but is addressing legitimate security issues. "During March 2007, old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day-by-day basis," he wrote. "We will also point out necessary changes in the current vulnerability management process used by the PHP Security Response Team."

View: The full story

News source: eWeek

About the Author

Full name: Daniel Fleshbourne
User name: Daniel
Contact: via forum PM
Submissions: View All
More: View Bio New!

Post a comment · Send to friend Comments · There are 5 additional comments

(2 replies) #1 markjensen on 02 Mar 2007 - 18:29

Since they counted VLC as an "Apple" bug (since VLC can run on a Mac), I suppose they will also count problems with poorly-coded users' php scripts as php bugs.

On the serious side, identifying problems is good. Public release of bug info before letting the responsible party work on it is bad.

#1.1 GP007 on 02 Mar 2007 - 18:38

I think the VLC bug counted because it then used some other problem to break security, while it wouldn't have counted had OSX blocked it and not let it do anything. Then it would've just been a VLC bug and nothing more. OS bugs/holes are not the only security risk on your system. Every app you install that has something to do with the internet can be used to then take over your system. We've seen this alot on Windows, IE aside, we've had bugs from Office apps, to Symantec A/V apps that leave your system open.

I agree that finding the problems is good, but if you tell the company or people in charge of the product about them, and nothing gets fixed after a long time, public release of bug info is the only way to get them to fix things.

#1.2 markjensen on 02 Mar 2007 - 20:08

Quote - (GP007 said @ #1.1)

I agree that finding the problems is good, but if you tell the company or people in charge of the product about them, and nothing gets fixed after a long time, public release of bug info is the only way to get them to fix things.

Agree. But this crap is just attention-seeking grandstanding.

If the vendors don't respond/react, then I can see benefit to public disclosure. However, these idiots are publicly releasing information without proper advance notification to the responsible vendors.

(1 reply) #2 n_K on 03 Mar 2007 - 23:44

the zend development team are a bunch of selfish lame-ass morons with 30 mile heads stuck right up there asses.
http://bugs.php.net/bug.php?id=40487
idiots

#2.1 Unplugged on 05 Mar 2007 - 10:09

Somebody call the Whambulance?

If any of the problems detailed above were a serious issue then there would be a lot more than ONE person posting a bug on the PHP bug portal. They wont be the only person using that software combo and seing the majority of sites use sessions in one way or another that would be a SERIOUS issue. That is most likely due to be a config issue or a problem somewhere else and the amount of people who post a bug saying "Oh Noesss" when they screw something up makes me laugth.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)

Neowin.net

Month of PHP Bugs Begins

Share this Article

About the Author

Related news