PHP Security Expert Resigns 386
juct writes "PHP security holes have a name — quite often it was Stefan Esser who found and reported them. Now Esser has quit the PHP security team. He feels that his attempt to make PHP safer "from the inside" is futile. Basic security issues are not addressed sufficiently by the developers. Zeev Suraski, Zend's CTO of course disagrees and urges Stefan to work with the PHP development team instead of working against it. But given the number of remote code execution holes in PHP apps this year, Esser might have a point. And he plans to continue his quest for security holes in PHP. Only that from now on, he will publish them after reasonable time — regardless if a patch is available or not."
Update: 10/30 12:57 GMT by KD : Zeev Suraski wrote in to protest: "I'm quoted as if I 'point fingers at inexperienced developers,' and of course, there's no link to that — because it's not true! The two issues — security problems in Web apps written in PHP, and security problems in PHP itself — are two distinct issues. Nobody, including myself, is saying that there are no security problems in PHP — not unlike pretty much any other piece of software. Nobody, I think, argues the fact that there have been many more security problems at the application level, then there were at the language level. I never replied to Stefan's accusations of security problems in PHP saying 'that's bull, it's all the developers' fault,' and I have no intention to do it in the future."
Re:php is the best language still (Score:2, Interesting)
Huge problem is "default" installs - everyone knows where your sample scripts are. Delete those first thing then move/rename the active libraries.
Now, where's that Ruby book?
Re:php is the best language still (Score:1, Interesting)
Huge problem is the lack of proper ingineering efforts.
PHP seems to me quite a good language for the task at hand, and its popularity seems to agree with me. Probably some PHP core developers are quite good at defining/devoloping it. The problem is that for a good product to be born that's not enough. Then you need people with proper ingineering knowledge and *attitude* and that I feel severily lack this people.
It's not only security flaws within the core of it, which is a clear symptom (while proper ingineering efforts would reduce them with time) it's they mix security fixes with new functionality; they change the interpreter behaviour and default options within minor releases... Those are symptoms of the underlying illness: bad ingineering attitude.
And it doesn't seem to change in the future; quite a pity.
Actual announcement (Score:5, Interesting)
Here's the announcement from the source himself, via his blog [php-security.org]. Based on that post I'd say he sounds pretty disgruntled with how his efforts towards security were received i.e. "he PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata"
As a PHP user.... (Score:5, Interesting)
In particular, the late static binding issue (if B extends A then A::staticFunc() ran as B::staticFunc() is ran under class A not B). It's like how it took MySQL took a decade to get stored procedures and views despite many people asking for it. Many people complain about the late static binding issue but last I knew it was still "it's a feature, not a bug."
Regardless, thanks for your work Mr. Esser...
Re:Question from a .NET developer trying to go OSS (Score:4, Interesting)
Rails is pretty cute. An more functional (but less "shiny") alternative is Catalyst [catalystframework.org]. It's written in Perl, which means you get the benefit of over 10,000 extension libraries from the CPAN [cpan.org] to draw upon. Perl also has some nice features that Ruby or PHP lack, like full native unicode support and automatic taint checking. It's also faster, because it's had 10 years to mature. Sadly people seem to be ignoring Perl these days, but with recent improvements it's nearly as cool as Ruby (check out "Moose").
Also, if you'd like to access a database with compound primary keys, ActiveRecord won't support that, but Catalyst's ORM (DBIx::Class) supports it fine.
Rails is good for quick apps like a wiki or a blog, but for more complicated internal applications, Catalyst is where it's at. Stop by the website, check out our advent calendar [catalystframework.org], or perhaps try the tutorial [cpan.org]. Join us in #catalyst on irc.perl.org if you have any questions!
Not up-to-date on PHP security . . . (Score:4, Interesting)
PHP security is a disaster by design (Score:2, Interesting)
Re:Not up-to-date on PHP security . . . (Score:2, Interesting)
PHP ought to be forked (Score:5, Interesting)
PHP could be turned into a decent general purpose scripting language if someone would fork it. Unfortunately that means that we'd need someone who knows the codebase, has time and is fed up with the current PHP development process. Maybe we could talk Esser into it...
Re:MOD PARENT UP (Score:3, Interesting)
Then a php to python coverter, and then we could start to forget about magic_quotes and safe mode.
Re:Question from a .NET developer trying to go OSS (Score:1, Interesting)
Re:PHP Security Expert (Score:1, Interesting)
I know exactly nothing about PHP, except that putting it on my Fedora box was a prereq to installing the mambo CMS, so I followed the instructions exactly.
My first introduction to php itself was about 6 weeks later when I found my network sagging under the load of a spam blast emanating from my now-compromised machine, broken into through a php exploit - kinda disgruntling and humiliating since I take the utmost care over security and this was the first ever breakin.
The first reaction when I told someone at work about this was "yeah, you'd have to be mad to run php on a box you don't want to get owned".
Lesson learned and now I would not touch php with a 20 ft pole.
Re:XSS by default (Score:1, Interesting)
A lot of 'Learn Perl' tutorials/books/etc have potential XSS/nullbyte exploits in the examples.
etc.
Re:Uh-huh, riiiiiiiiight... (Score:4, Interesting)
One cannot say it was PHP directly that got the machine compromised. It was an exploit in a script written in PHP.
A box isn't going to get compromised if PHP was installed alone on the box without any scripts (at least it's very very unlikely).
Is C the direct cause of your box owned when their is an exploit in say, proftpd for example?
I mean, I could also say...
"yeah, you'd have to be mad to run sendmail on a box you don't want to get owned"
"yeah, you'd have to be mad to run proftpd on a box you don't want to get owned"
"yeah, you'd have to be mad to run bind on a box you don't want to get owned"
"yeah, you'd have to be mad to run a linux kernel on a box you don't want to get owned"
These applications have all had their problems in the past, maybe some still have problems, but overall
they get fixed when new exploits/bugs are discovered.
I'm not quite sure why, but a lot of people/webmasters/admins do not check for updates to the 3rd party php scripts
they have installed, they just install them once and leave them running... Then they wonder why their box was compromised
due to them running out of date software.
You wouldn't leave your windows machine unpatched and never check for updates, would you?
Re:If people used my butt to the extent they use p (Score:3, Interesting)
Oh wait, it hasn't has it. It is also why Apache had so many more security issues than IIS4 because Apache was used... oh hang on that one doesn't work either.
Maybe if you used you mouth rather than your butt for speaking you might make more sense.
Re:Actual announcement (Score:3, Interesting)
I'm not surprised. If you read the article, you come across this gem:
That's right, the PHP team think that dedicating a month to finding security holes in PHP is "harming the project".
Stefan has a bit of a reputation for being "abrasive". But in my opinion, it is because he's got decent (not unreasonable, but decent) quality standards, and isn't afraid to hold other people to them. In a normal project, that wouldn't be so bad, but given the prevailing attitudes of the PHP project, it's understandable that he blows up frequently enough to have a reputation.
Re:Question from a .NET developer trying to go OSS (Score:3, Interesting)
Re:Lemme guess... MySQL is also the best database? (Score:2, Interesting)