[ISN] PHP Group accused of security incompetence

From: InfoSec News (alerts@private)
Date: Wed Feb 21 2007 - 23:10:33 PST


By Matthew Broersma
21 February 2007

PHP developer Stefan Esser has said he will go ahead with plans to 
disclose dozens of security flaws in PHP in March, hitting back at 
criticism that the "Month of PHP bugs" project is nothing more than 
dangerous, self-serving publicity.

The problem isn't irresponsible disclosure, but the sluggishness of the 
PHP team in fixing serious problems, Esser contended. He has first-hand 
experience with the PHP security process having created both the 
Hardened-PHP Project and the PHP Security Response Team, which he left 
acrimoniously in December.

Esser's argument is that PHP itself - as opposed to the numerous web 
applications written in the language - contains serious bugs, and that 
this fact isn't well-enough understood.

"Remote File Inclusions, vulnerabilities due to register_globals or 
other problems within the PHP engine... are fully to blame on the PHP 
language," he said in an interview with security website SecurityFocus. 
"Unfortunately this kind of thinking is not appreciated by the PHP 
developers, and they continue to claim that PHP is no worse than other 

He accused members of the PHP development team of ignoring security bugs 
he had submitted to them. "At this point you stop bothering whether 
anyone considers the disclosure of unreported vulnerabilities 
unethical," he said, according to the site.

He said PHP 5.2.1, released earlier this month, fixes some of the 
problems he reported to the PHP Group, but also highlights the problems 
with the way PHP security is managed. "As usual the release announcement 
gives too little information about the bugs, does describe several bugs 
wrongly, forgets some security bugs that were fixed, downplays the 
seriousness of the bugs and does not give a single line of credit," he 
said in a blog entry.

Zeev Suraski, co-creator of PHP and chief technology officer of Zend, 
which manages PHP development, said the "Month of PHP bugs" is likely to 
harm PHP, and urged Esser to rejoin the fold of the PHP Group.

He said much of the bad publicity around PHP security is due to problems 
with applications written in PHP, or problems with PHP that have made it 
easy for developers to code insecurely. He admitted that PHP itself has 
problems, but said the language is no more insecure than any other.

"Yes, there are security problems in PHP," he said in a blog entry. "I 
can hardly think of any other project in such a scope and of a similar 
nature that doesn't have security problems in it, at the same rate (give 
or take) as PHP. I believe we've had an excellent track record at fixing 
remotely exploitable problems and coming out with fixes immediately, and 
there haven't been that many of them either."

He said that Esser's project will create more problems than it solves, 
and urged Esser not to "turn to the 'other side'". "I'd like to take the 
opportunity, again, and ask Stefan to come to come back to security@ 
team, and work with the project and not against it," he wrote.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Wed Feb 21 2007 - 23:31:27 PST