Month of PHP Bugs Begins

Security expert Stefan Esser has declared war on vulnerabilities in the PHP core with the "Month of PHP Bugs." PHP is an open-source HTML embedded scripting language used to create dynamic Web pages. The month-long effort is an attempt to improve the security of PHP, Esser said in a post on his Web site. It follows his contentious departure in December from the PHP Security Response Team, which he founded, after he accused The PHP Group of being too slow to fix problems.

Esser stressed, however, that he is not striking back at his old colleagues but is addressing legitimate security issues. "During March 2007, old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day-by-day basis," he wrote. "We will also point out necessary changes in the current vulnerability management process used by the PHP Security Response Team."

View: The full story
News source: eWeek

Report a problem with article
Previous Story

Partners try to keep faith as AMD pulls rug on CeBIT

Next Story

Sun releases Java Enterprise System 5.0

5 Comments

Commenting is disabled on this article.

Somebody call the Whambulance?

If any of the problems detailed above were a serious issue then there would be a lot more than ONE person posting a bug on the PHP bug portal. They wont be the only person using that software combo and seing the majority of sites use sessions in one way or another that would be a SERIOUS issue. That is most likely due to be a config issue or a problem somewhere else and the amount of people who post a bug saying "Oh Noesss" when they screw something up makes me laugth.

Since they counted VLC as an "Apple" bug (since VLC can run on a Mac), I suppose they will also count problems with poorly-coded users' php scripts as php bugs.

On the serious side, identifying problems is good. Public release of bug info before letting the responsible party work on it is bad.

I think the VLC bug counted because it then used some other problem to break security, while it wouldn't have counted had OSX blocked it and not let it do anything. Then it would've just been a VLC bug and nothing more. OS bugs/holes are not the only security risk on your system. Every app you install that has something to do with the internet can be used to then take over your system. We've seen this alot on Windows, IE aside, we've had bugs from Office apps, to Symantec A/V apps that leave your system open.

I agree that finding the problems is good, but if you tell the company or people in charge of the product about them, and nothing gets fixed after a long time, public release of bug info is the only way to get them to fix things.

GP007 said,
I agree that finding the problems is good, but if you tell the company or people in charge of the product about them, and nothing gets fixed after a long time, public release of bug info is the only way to get them to fix things.
Agree. But this crap is just attention-seeking grandstanding.

If the vendors don't respond/react, then I can see benefit to public disclosure. However, these idiots are publicly releasing information without proper advance notification to the responsible vendors.