By Howard Dahdah
10 April, 2007
PHP bug hunter Stefan Esser says he feels vindicated after his
successful Month of PHP Bugs project which ran through March.
The project, which aimed to highlight flaws in the PHP source code,
uncovered 44 bugs, although Esser said the real number was 41, because
three bugs were not in PHP code itself. These, he said, were a "bonus".
Esser copped a lot of flak ahead of, and during, his Month of PHP bugs
Many critics in blogsphere claimed the project was an act of revenge
against the PHP community which Esser was once close to.
Esser, who was a founder of the PHP Security Response Team, left the
group amid much acrimony in December 2006. He said his main bone of
contention with the group lay in the righteous view its members had of
the PHP source code, and what he believed was their protection of
In light of his criticisms of the PHP source code, Esser went about
organizing the MOPG, which he said was a "concentrated audit" of bugs.
"I have been doing bug hunting in PHP for years now. Only this time I
collected the bugs and released them in a more dramatic way than I
usually do," he said.
"The outcome is that I proved that there is substance behind things I
claim, which is quite uncommon in PHP security where most is just
marketing talk," he said. "I have especially demonstrated that my claims
that PHP developers reintroduce bugs or never fix them correctly or
introduce new vulnerabilities with security fixes are valid."
Esser said he did not know if there will be a 'Return of the MOPB'.
"But yes, I will continue to uncover vulnerabilities in PHP and develop
protections against those vulnerabilities," he said.
"I have been doing this for six years and I do not plan to stop. I still
have more PHP vulnerabilities in my pocket."
Subscribe to InfoSec News