Month of PHP Bugs Has Begun

An anonymous reader writes "The previously announced Month of PHP Bugs started three days ago, and already lists 8 security vulnerabilities in PHP and PHP related software. From the site: 'This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability management process used by the PHP Security Response Team.'"

Defective by Design?

[Ckwop]

We see a lot of people use the phrase "defective by design" when talking about Vista and in that instance I'm pretty sure the use of the term is correct.

Having never used PHP but heard of its many security problems I'm wondering: Is PHP defective by design? If so, why so and how would Slashdot seek to fix it?

Simon

Month of bugs, will it change things for better?

[chabotc]

To be honest i'm glad that this month of bugs is happening, after all the previous news items about how the core php / zend team is refusing to colaberate with some ppl who are deeply concerned about php's security (and by this we do mean mistakes/faults in the php engine, not in bad php programming).

On the other hand, i bet a fair few of the released vunerabilities will be applicable for many websites that the company i work for hosts, and i know corperate policy doesn't include frequent updates to their envirioment, there's just to many sites, to many badly supported applications by/for customers, and just to damn many servers to work with easily, i can't imagine were the only such company with such problems... And it really makes me wonder if this will mean that many hundreds of our hosted websites will from now on be easily hackable by scriptkiddies

Should prove to be interesting times, and who knows maybe it will teach our admins to use yum/rpm's for their servers instead of compiling their own apache/php combinations :-)

Just in case..

[loconet]

To clarify, note that these bugs are related to the PHP core, not the language itself which may result in insecure applications. The statement that 8 security vulnerabilities in PHP and PHP related software is not referring to PHP software such as Wordpress. I mean seriously, I think I saw my dog hacking together a blog the other day using PHP. Everyone uses the language and not everyone has the background to know what they should and shouldn't be doing. In addition to its popularity, the language and its "libraries" make it easy for untrained coders to leave gapping holes in the code. Don't get me wrong, I love PHP (to an extend), I make a living out of it but any attempt at fixing "PHP related software" directly (ie: wordpress,phpbb,oscommerce,etc) would take more than a month.

Re:Defective by Design?

[SCHecklerX]

Use perl instead :)

Not entirely joking. I use embedded perl for my own dynamic sites, and keep track of the lists, and can't recall any serious known flaws with that implementation.

The vulnerabilities that keep popping up (and the fact that I already know and am comfortable with perl, have CPAN, can develop quickly especially now that I have my own base modules set up, etc) are one reason that I never really looked into PHP.

Re:Defective by Design?

[Anonymous Coward]

Uhmm, you are aware that all the phpBB forums out there use unserialize() on cookie data?

And phpBB is just one of many popular applications that do it...

The simplest fix

[Anonymous Coward]

One of the biggest problems with PHP is the die-hard adherance to backwards compatibility. Functions don't get deprecated, the API doesn't change, it gets overloaded with nearly-the-same but-not-quite methods so that somewhere, somebody doesn't complain about how their website "broke" with the latest release--never mind the fact that by using insecure functions, their sites are already broke.

Re:Defective by Design?

[julesh]

I think PHP has got beyond the stupid-design-flaws-causing-security-issues stage. Now, as you correctly point out, the major issue is endemic insecure programming practices and a lack of attention to bug reports.

How I wish we could just junk the language and start again with something else; unfortunately, market pressures being what they are, I'm afraid we're stuck with it, at least for the time being.

Re:Parent isn't flamebait

[Aladrin]

So your webhost won't upgrade, and that's PHP's fault? PHP5 has been out a LONG time. Don't bother complaining about bugs in PHP4 simply because your website can't be bothered to upgrade. Find a decent webhost instead.

strpos() return FALSE when it can't find the 'needle'. http://us2.php.net/strpos [php.net] Use a proper test (===) and you'll have all you need in a single statement.

Some people really LIKE dynamically-typed variables. It's not a bug or a problem. It's a design choice.

Your flamebait at the end (vbscript) does nothing to enhance your argument. Leave it off next time.

Re:Defective by Design?

[nuzak]

Done. http://www.caucho.com/resin-3.1/doc/quercus.xtp [caucho.com]

Re:PHP taint what it should be

[Unknown Relic]

Well then, you'll be happy to know that Wietse Venema from IBM Research put in a proposal for taint support in PHP a couple months ago. I'm not sure if anything has come of it as there was a fair amount of concern that it would turn into another "Safe Mode" debacle, but from what I remember his plan was to essentially start work on a proof of concept implementation early this year and then take it from there.

Why MOPB Matters

[gantry]

I have just analysed the last month's script kiddie attacks on my web server. 71% of them were to php-related URLs. When I first went through this exercise some years ago, the overwhelming majority of attacks were URLs related to IIS. The significance of this change cannot be overestimated.

Yes, a lot of the problems are sloppy coding, but too many are in the PHP core. How many web pages use the PHP-array-specific query-string
    ?foo[]=bar
- not many, you might think. How many use a PHP nested array
    ?foo[][][][][]=bar
- quite an unusual structure, you might agree.

The real stinger is that PHP will let this array be as deep as an attacker likes - and it's the same for a POST as for a query string, so there's no practical limit. An attacker can exhaust the space available for the stack, with several adverse consequences. This bug has a lot in common with the gravest bugs in PHP's history, in that it is a mistake in PHP's input processing: in this case, PHP trusts the sanity of user input. According to MOPB, Zend's attitude to this bug is "won't fix".

The arrogance of this attitude is breathtaking. PHP is now the most insecure package on my internet server, probably surpassing the old BIND 8 in the frequency and gravity of its exploitable bugs. I sincerely hope that Zend will get its act together and make security their number one priority. The predominance of PHP on the web is not theirs as of right - if they do not act, then either their product will be forked, or an alternative will take its place.

The nested array bug is described here:
http://www.php-security.org/MOPB/MOPB-03-2007.html [php-security.org]