By Matthew Broersma
21 February 2007
PHP developer Stefan Esser has said he will go ahead with plans to
disclose dozens of security flaws in PHP in March, hitting back at
criticism that the "Month of PHP bugs" project is nothing more than
dangerous, self-serving publicity.
The problem isn't irresponsible disclosure, but the sluggishness of the
PHP team in fixing serious problems, Esser contended. He has first-hand
experience with the PHP security process having created both the
Hardened-PHP Project and the PHP Security Response Team, which he left
acrimoniously in December.
Esser's argument is that PHP itself - as opposed to the numerous web
applications written in the language - contains serious bugs, and that
this fact isn't well-enough understood.
"Remote File Inclusions, vulnerabilities due to register_globals or
other problems within the PHP engine... are fully to blame on the PHP
language," he said in an interview with security website SecurityFocus.
"Unfortunately this kind of thinking is not appreciated by the PHP
developers, and they continue to claim that PHP is no worse than other
He accused members of the PHP development team of ignoring security bugs
he had submitted to them. "At this point you stop bothering whether
anyone considers the disclosure of unreported vulnerabilities
unethical," he said, according to the site.
He said PHP 5.2.1, released earlier this month, fixes some of the
problems he reported to the PHP Group, but also highlights the problems
with the way PHP security is managed. "As usual the release announcement
gives too little information about the bugs, does describe several bugs
wrongly, forgets some security bugs that were fixed, downplays the
seriousness of the bugs and does not give a single line of credit," he
said in a blog entry.
Zeev Suraski, co-creator of PHP and chief technology officer of Zend,
which manages PHP development, said the "Month of PHP bugs" is likely to
harm PHP, and urged Esser to rejoin the fold of the PHP Group.
He said much of the bad publicity around PHP security is due to problems
with applications written in PHP, or problems with PHP that have made it
easy for developers to code insecurely. He admitted that PHP itself has
problems, but said the language is no more insecure than any other.
"Yes, there are security problems in PHP," he said in a blog entry. "I
can hardly think of any other project in such a scope and of a similar
nature that doesn't have security problems in it, at the same rate (give
or take) as PHP. I believe we've had an excellent track record at fixing
remotely exploitable problems and coming out with fixes immediately, and
there haven't been that many of them either."
He said that Esser's project will create more problems than it solves,
and urged Esser not to "turn to the 'other side'". "I'd like to take the
opportunity, again, and ask Stefan to come to come back to security@
team, and work with the project and not against it," he wrote.
Subscribe to the InfoSec News RSS Feed