[ISN] Month of PHP bugs gets rolling

From: InfoSec News (alerts@private)
Date: Tue Mar 06 2007 - 22:18:24 PST


http://www.techworld.com/security/news/index.cfm?newsID=8175

By Matthew Broersma
Techworld
05 March 2007

Developer Stefan Esser has launched his Month of PHP Bugs project with 
11 bugs in five days, including an old flaw reintroduced in a new 
version of PHP and several known bugs he says are unlikely ever to be 
fixed.

Esser and his collaborators published eight flaws in the first three 
days of the month, followed by another three on Sunday and Monday. 
Unlike similar, but unconnected, projects such as the Month of Kernel 
Bugs and the Month of Apple Bugs, "we do not enforce a 
one-vulnerability-per-day limit upon ourselves," Esser wrote on the 
site.

The project is designed to force PHP developers to improve security, and 
Esser kept up a steady stream of criticism of the way PHP security is 
handled. The three bugs published on the project's first day are those 
"that are already known but are not yet or will never be fixed", he 
said.

A cross-site scripting flaw, bug number eight, was disclosed in October 
2005, fixed, but then reintroduced in PHP 4.4.3, Esser said.

The project focuses on the PHP standard distribution, but Esser included 
two "bonus" bugs that affect the Zend Platform, which runs on a web 
server, monitoring PHP applications and reporting on performance and 
possible problems.

Zend, which sponsors PHP development, has criticised Esser for his 
aggressive attitude toward PHP developers, but Esser said others have 
been supportive, with several developers volunteering their own zero-day 
flaws for publication.

"The reaction has been quite positive so far," he wrote in a blog post.


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Tue Mar 06 2007 - 22:24:58 PST