[ISN] PHP bug hunter silences his critics with security project

From: InfoSec News (alerts@private)
Date: Mon Apr 09 2007 - 23:28:40 PDT


http://www.arnnet.com.au/index.php/id;1395934823;fp;16;fpid;1

By Howard Dahdah 
10 April, 2007

PHP bug hunter Stefan Esser says he feels vindicated after his 
successful Month of PHP Bugs project which ran through March.

The project, which aimed to highlight flaws in the PHP source code, 
uncovered 44 bugs, although Esser said the real number was 41, because 
three bugs were not in PHP code itself. These, he said, were a "bonus".

Esser copped a lot of flak ahead of, and during, his Month of PHP bugs 
project.

Many critics in blogsphere claimed the project was an act of revenge 
against the PHP community which Esser was once close to.

Esser, who was a founder of the PHP Security Response Team, left the 
group amid much acrimony in December 2006. He said his main bone of 
contention with the group lay in the righteous view its members had of 
the PHP source code, and what he believed was their protection of 
insecure code.

In light of his criticisms of the PHP source code, Esser went about 
organizing the MOPG, which he said was a "concentrated audit" of bugs. 
"I have been doing bug hunting in PHP for years now. Only this time I 
collected the bugs and released them in a more dramatic way than I 
usually do," he said.

"The outcome is that I proved that there is substance behind things I 
claim, which is quite uncommon in PHP security where most is just 
marketing talk," he said. "I have especially demonstrated that my claims 
that PHP developers reintroduce bugs or never fix them correctly or 
introduce new vulnerabilities with security fixes are valid."

Esser said he did not know if there will be a 'Return of the MOPB'.

"But yes, I will continue to uncover vulnerabilities in PHP and develop 
protections against those vulnerabilities," he said.

"I have been doing this for six years and I do not plan to stop. I still 
have more PHP vulnerabilities in my pocket."


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Mon Apr 09 2007 - 23:45:22 PDT