HomeDesigning Your WebsiteWebmaster's Corner

March - PHP Month of Bugs (back up your sites!)

JeevesBond posted this at 13:31 — 21st February 2007.

JeevesBond's picture

He has: 3,956 posts

Joined: Jun 2002

Is everyone ready for the PHP month of bugs in March? Stefan Esser, founder of both the PHP Security Response Team and Hardened-PHP Project, has announced that he's going to release over 31 bugs into the public domain during March.

He's got an agenda here too (since leaving the PHP Security Response Team in frustration at the incompetence of core PHP developers), from the article:

Security Focus wrote: As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed.

Security Focus wrote: I was quite often called an immoral traitor or other things from PHP (core) developers for disclosing security holes in PHP to the public.

Nice. He's on a crusade to clean up PHP. This could have an effect on all of us who're using PHP applications:

Security Focus wrote: We will disclose different types of bugs, mainly buffer overflows or double free(/destruction) vulnerabilities, some only local, but some remotely trigger-able

Basically, this dude is going to release details of over 31 nasty security vulnerabilities in as many days. Some people are going to get hacked because of this, am expecting a new version of PHP to come out shortly after all this so we'd all better be ready to upgrade! Smiling

Are you ready for a bumpy ride in March?!

a Padded Cell our articles site!

Megan posted this at 13:55 — 21st February 2007.

Megan's picture

She has: 11,421 posts

Joined: Jun 1999

I'm moving this to Webmaster's Corner where more people will see it - too important to be left in server-side scripting Wink

This means that you need to BACK UP anything you have running on php and keep an eye out for upgrades on any scripts you are using.

Megan
Connect with us on Facebook!

demonhale posted this at 21:39 — 21st February 2007.

demonhale's picture

He has: 3,278 posts

Joined: May 2005

Dang! Another busy series of months again then... I hope they just keep it under wraps...

pr0gr4mm3r posted this at 21:15 — 23rd February 2007.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

Nobody uses automated backups? Mine are backed up every night.

demonhale posted this at 05:44 — 24th February 2007.

demonhale's picture

He has: 3,278 posts

Joined: May 2005

I have peace of mind when I do backups myself... but still, I hate bugs...

JeevesBond posted this at 07:25 — 24th February 2007.

JeevesBond's picture

He has: 3,956 posts

Joined: Jun 2002

Quote: Nobody uses automated backups? Mine are backed up every night.

We have mostly automatic updates, just have to run a script and enter SSH passwords. Unfortunately our server doesn't support using certificates for automatic logins. Sad

I can imagine there will be many bloggers and small businesses which don't bother backing-up.

a Padded Cell our articles site!

andy206uk posted this at 12:41 — 24th February 2007.

He has: 1,758 posts

Joined: Jul 2002

Thanks for pointing this out... I've told the sysadmins at the company they work for.

I have to say, the way he's handling this is wrong. What he should have done is told the guys that make PHP about the bugs a month in advance and told them that if they didn't resolve them by a certain deadline THEN he would begin releasing them.

Why should we all suffer because he's got beef with the PHP team? Sad

Andy

Abhishek Reddy posted this at 13:52 — 24th February 2007.

Abhishek Reddy's picture

He has: 3,348 posts

Joined: Jul 2001

andy206uk;215730 wrote: I have to say, the way he's handling this is wrong. What he should have done is told the guys that make PHP about the bugs a month in advance and told them that if they didn't resolve them by a certain deadline THEN he would begin releasing them.

That's basically what he's doing. The Month of PHP Bugs was announced at least a month ago. He resigned from the PHP Security Response Team in early December. He founded the SRT in 2004.

So the PHP security people were well aware of a lot of unresolved bugs for a long time, as Esser and others had been reporting them for years. But the team refuse even to acknowledge many of the bugs, let alone attempt to fix them or actually fix them properly.

andy206uk;215730 wrote: Why should we all suffer because he's got beef with the PHP team? Sad

His premise is that we're already suffering because the PHP team aren't doing their job. Hopefully what he's trying now -- after all his prior effort -- will help improve the situation.

pr0gr4mm3r wrote: His actions seem quite immature IMHO.

It may seem so when seen out of context. You have to bear in mind that he has been dealing with the PHP folks for years and it led nowhere.

I guess it would be better if he also released patches along with the bugs, but I think that would be an unreasonable ask. That's what the PHP security team is there for, after all.

Anyway, I'm glad this is finally happening. In my opinion, PHP has been resting on its laurels somewhat in the last couple of years -- not just in security. I hope the Month of Bugs will either drive the project to refocus, or drive its users to better technologies.

I can't imagine that it will have a significant adverse effect for users, though. The security risks of poorly written PHP applications, or improper server configuration, are far greater than those of bugs in PHP core -- by Esser's own admission.

Smiling

pr0gr4mm3r posted this at 13:06 — 24th February 2007.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

Quote: Why should we all suffer because he's got beef with the PHP team?

His actions seem quite immature IMHO.

andy206uk posted this at 10:00 — 25th February 2007.

He has: 1,758 posts

Joined: Jul 2002

Ahhh... that kinda clarifies it for me. I figured he was doing this without giving them a good chance to fix PHP in advance.

JeevesBond posted this at 01:44 — 28th February 2007.

JeevesBond's picture

He has: 3,956 posts

Joined: Jun 2002

Agreed with everything Abhi said. This person is only doing what he's doing after many months (if not years) of frustration at the PHP Security Team. Note one of the quotes:

Quote: As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before.

He's given them plenty of warning. They've had many opportunities to fix the problems, but they've continually ignored them or told people they don't exist. I've heard of Microsoft taking a similar tack when it comes to bugs, it's not acceptable from them so it's definitely no acceptable in a FLOSS project!

Abhi wrote: Anyway, I'm glad this is finally happening. In my opinion, PHP has been resting on its laurels somewhat in the last couple of years -- not just in security. I hope the Month of Bugs will either drive the project to refocus, or drive its users to better technologies.

Now all we need is a 'PHP Month of namespaces' or some of the other things on Abhi's list of reasons why PHP sucks (my favourite TWF post ever). Smiling

a Padded Cell our articles site!

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.