[LINK] Hardened PHP Project
stephen at melbpc.org.au
stephen at melbpc.org.au
Tue Mar 6 22:02:12 EST 2007
Hardened PHP Project, 2007
This initiative is an effort to improve the security of PHP. We will
concentrate on security vulnerabilities in the PHP core.
During March 2007 old and new security vulnerabilities in the Zend
Engine, the PHP core and the PHP extensions will be disclosed on a day by
We will also point out necessary changes in the current vulnerability
management process used by the PHP Security Response Team.
Esser, widely regarded as an authority on PHP security issues, plans to
make daily disclosures on buffer overflows, double free vulnerabilities
and trivial bypass bugs in PHPs protection features as part of a wider
goal to make people and especially the PHP developers aware that bugs in
In an interview with SecurityFocus, the German researcher did not hide
his disdain for the way PHP security issues are handled by the open-
source group that maintains the Apache-backed project. PHP has a very
bad reputation when it comes to security, which is mostly caused by all
the advisories about security holes in PHP applications, he declared,
arguing that the situation is inflamed by the PHP Groups insistence on
blaming programmers for insecure coding practices.
Remote File Inclusions, vulnerabilities due to register_globals or other
problems within the PHP engine (e.g. zend_hash_del_key_or_index bug) are
fully to blame on the PHP language. Unfortunately this kind of thinking
is not appreciated by the PHP developers and they continue to claim that
PHP is not worse than other languages, and that only badly written PHP
applications are the problem. The Month of PHP bugs will show however
that a lot of bugs in PHPs own source code exist, Esser added.
Essers flaw disclosure project will only release information on holes
within the code shipped with the default distribution of PHP. That means
we will not disclose holes in extensions that only exist in PECL, while
we are sure that those contain vulnerabilities, too. Most of the holes
were previously disclosed to the vendor, but not all, he explained.
On some days in March, because of the volume of PHP bugs stockpiled, he
said there will be more than one vulnerability disclosed.
As a vulnerability reporter you feel kinda puzzled how people among the
PHP Security Response Team can claim in public that they do not know
about any security vulnerability in PHP, when you disclosed about 20
holes to them in the two weeks before. At this point you stop bothering
whether anyone considers the disclosure of unreported vulnerabilities
unethical. Additionally a few of the reported bugs have been known for
years among the PHP developers and will most probably never be fixed, he
The issue of PHP security has been on the front burner lately, driven
mostly by a dramatic rise in exploitable flaws in PHP-based Web
More information about the Link