By Matthew Broersma
05 March 2007
Developer Stefan Esser has launched his Month of PHP Bugs project with
11 bugs in five days, including an old flaw reintroduced in a new
version of PHP and several known bugs he says are unlikely ever to be
Esser and his collaborators published eight flaws in the first three
days of the month, followed by another three on Sunday and Monday.
Unlike similar, but unconnected, projects such as the Month of Kernel
Bugs and the Month of Apple Bugs, "we do not enforce a
one-vulnerability-per-day limit upon ourselves," Esser wrote on the
The project is designed to force PHP developers to improve security, and
Esser kept up a steady stream of criticism of the way PHP security is
handled. The three bugs published on the project's first day are those
"that are already known but are not yet or will never be fixed", he
A cross-site scripting flaw, bug number eight, was disclosed in October
2005, fixed, but then reintroduced in PHP 4.4.3, Esser said.
The project focuses on the PHP standard distribution, but Esser included
two "bonus" bugs that affect the Zend Platform, which runs on a web
server, monitoring PHP applications and reporting on performance and
Zend, which sponsors PHP development, has criticised Esser for his
aggressive attitude toward PHP developers, but Esser said others have
been supportive, with several developers volunteering their own zero-day
flaws for publication.
"The reaction has been quite positive so far," he wrote in a blog post.
Visit the InfoSec News Security Bookstore