March To Be Month of PHP Bugs

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

So, PHP means ?

[Rastignac]

Public Holes Publication, isn't it ? ;)

Re:

[Dimentox]

Actually PHP is not that insecure.. Its the people who do not know hjow to write code who are insecure. You blame PHP. I blame peole who actually think they can program but are nothing more but scripters. PHP can be secure. If you write it correctly. Think about the script kiddys who use automated perl scripts.. Should perl not be on systems? If you want real security unplug your machine.. it will be safe. Otherwise any machine can be vouln.

Re:So, PHP means ?

[Anonymous Coward]

No, PHP is quite insecure. The libraries, the interpreter, and most PHP software are all poorly written.

And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. There has been some work done in this area, but it's been minimal, and so far ineffective.

Yes, inexperienced developers probably are responsible for many of the problems. But the more experienced (I would hope) developers of PHP itself need to step up to the plate, and do their part to deal with the problem of inexperienced developers writing poor code. Even if they don't do it in order to offer a better product, they should do it to save the few remaining strands of their reputation.

Re:

[JoelMartinez]

And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts.

Microsoft calls this the pit of success ... where it's easy to "fall into" a successful implementation

Re:Pot calling the kettle black

[julesh]

If you're a programmer and you don't see huge problems with both the design of PHP itself and the standard library you should just quit now and find another hobby/profession.

I'm a programmer. I work with PHP. I see a hell of a lot of problems with its design and implementation. Am I ready to dump it and switch to something better? You bet. I've been waiting for the chance for the last 5 years or more.

Can I actually do this?

No. The marketplace is such that if I implement my solutions in any other environment, I'm cutting myself out of large chunks of the market simply because people might choose a hosting provider that doesn't support whatever alternative language I choose to use.

Re:

[milamber3]

Think about the script kiddys who use automated perl scripts.. Should perl not be on systems?

You are confusing the ability to use a script written in a specific language to exploit a hole with security vulnerabilities that are inherent in a particular language.

If you are making that mistake you should probably not be flaming anyone.

Re:So, PHP means ?

[daeg]

The problem isn't just the coders, it's the fault of the language, too. Sure, you can write fairly secure PHP code, but the language itself does not lend itself to teaching security. It's plainly evident that most features have "ease of use" ahead of "security" -- Register Globals is a prime example. I could have told you from the start that registering variables based on the names of POST/GET values was a Bad Idea(tm). Hell, anyone could have.

PHP is also forever afraid of breaking backwards compatibility. They probably don't want to scare PHP coders.

They also have issues around the monolithic nature of PHP. Oh, you want image processing? Recompile PHP! Oh, you need XML processing? Recompile PHP! There is no isolation whatsoever, everything resides in the same namespace.

I am glad that they are making progress, though. PHP 5 finally brought their OO up to speed (mostly). They finally have a secure, native database connector (PDO) that supports escaped bound parameters. PHP 6 is finally removing some deprecated features.

That said, I still am weary when I log into a website that holds my personal information and see a ".php" URL.

(I was a full time PHP developer for about 6 years. Was.)

Re:

[onerob]

Register Globals has been off by default for years.

Please don't let us see the return of \'magic quotes\'

Re:

[julesh]

Register Globals has been off by default for years.

Yes, but most hosting companies just switch it straight back on again, to stem the tide of complaints from users who downloaded an old script from somewhere but it doesn't work...

Re:

[Kelson]

Yes, but most hosting companies just switch it straight back on again, to stem the tide of complaints from users who downloaded an old script from somewhere but it doesn't work...

I was going to gripe about it being an issue for the hosting companies (we've had it disabled on our servers for several years), but now that I think about it, you're right: Register Globals is a "wings fall off" button.

Re:

[daeg]

Don't you mean \\\\\\\\\'magic quotes\\\\\\\\\'?

Re:

[jdbartlett]

You've just summed up--in one short comment--everything I hate about PHP. I've been a PHP developer for several years and it was my first introduction to the OSS community, but I still remember that wild discovery: "You mean have to take down the entire service just because it wasn't compiled against this or that library? That's INSANE! What the hell is Linux FOR?"

Re:

[rufus t firefly]

You've just summed up--in one short comment--everything I hate about PHP. I've been a PHP developer for several years and it was my first introduction to the OSS community, but I still remember that wild discovery: "You mean have to take down the entire service just because it wasn't compiled against this or that library? That's INSANE! What the hell is Linux FOR?"

I understand the point you're making, but why don't you just run it in CGI mode if you don't want to recompile, or use dl() to load the exten

Take down the service?

[Kelson]

"You mean have to take down the entire service just because it wasn't compiled against this or that library? That's INSANE! What the hell is Linux FOR?"

Really? Leaving aside the matter of using shared libraries, whenever I've had to add features to PHP it's gone like this:

1. Configure PHP with new options
2. Rebuild PHP
3. Reinstall PHP
4. service httpd configtest
5. service httpd restart

The only actual downtime occurs during step 5, which lasts maybe a second at most. This is Linux after all -- you can run the

From the PDO docs page:

[yem]

Warning

If your application does not catch the exception thrown from the PDO constructor, the default action taken by the zend engine is to terminate the script and display a back trace. This back trace will likely reveal the full database connection details, including the username and password. It is your responsibility to catch this exception, either explicitly (via a catch statement) or implicitly via set_exception_handler().

The default behavior in case of database problems is to display the host, u

Re:

[tinkertim]

Actually PHP is not that insecure.. Its the people who do not know hjow to write code who are insecure. You blame PHP. I blame peole who actually think they can program but are nothing more but scripters. PHP can be secure. If you write it correctly. Think about the script kiddys who use automated perl scripts.. Should perl not be on systems? If you want real security unplug your machine.. it will be safe. Otherwise any machine can be vouln.

You are correct, but that doesn't make net irritants that are permi

Maybe he could stagger it out

[SlappyBastard]

Give people a day or two to respond to each exploit before he hands us another to go racing after.

Re:

[tinkertim]

Give people a day or two to respond to each exploit before he hands us another to go racing after.

Especially us poor bastards that have 500 + servers to patch. I'm sure (err, hope?) they will do it responsibly , however I still see this being a *very* interesting month.

I'm a bit ambivalent

[SlappyBastard]

I've long argued that for as much as the pro-PHP group blames the coders, there is simply no excuse for some of the levels of vulnerability. So, while I'm loathe for the torrent of problems, I am glad to see someone finally calling PHP out in the open for some of the problems it created long before any kid touched a single line of code.

Re:

[Joebert]

That speach sounds soo scripted.

Re:

[tepples]

PHP can be secure. If you write it correctly.

Except in PHP 4 and PHP 5, the content of php.ini as deployed by too many shared hosting companies has not necessarily been conducive to writing it correctly.

great...

[blantonl]

Looks like this will also be "Month-of-me-working-harder-to-make-sure-my-site-i s-patched- and-updated-and-not-exploited-by-script-kiddies"

Re:

[julesh]

Yep. This is going to be fun^Wannoying.

Re:great...

[FredDC]

As opposed to "month-of-script-kiddies-working-hard-to-exploit-n on-patched-and-non-updated-websites"?

Re:

[Joebert]

Hi kids! Would you like to script this? (Yeah yeah yeah!)
Wanna see me shoot chocolate milk from each one of my eyelids? (Uh-huh!)
Wanna copy this and paste exactly like I did? (Yeah yeah!)
Try the wrong CID and get fucked up worse that my code is? (Huh?)
My mouse's dead weight, I'm tryin to get my story straight
but I can't figure out which Administrator I want to impersonate (Ummmm..)
And Dr. Phil said, "Failure is no accident."
Uh-huhhh! "Then why's your hands red? Man you busted!"
Well at age twelve, I

Re:

[bconway]

Well, to be fair, you did choose to use PHP, which is notoriously buggy and insecure.

Re:

[joebp]

This is about bugs in PHP itself, not applications written in PHP. Both have an utterly appalling security record though.

Re:

[rufus t firefly]

This is about bugs in PHP itself, not applications written in PHP. Both have an utterly appalling security record though.

I'm not sure how I feel about that statement.

I'm the primary developer of an opensource PHP-based application, and I can attest that PHP security is more in the hands of the application developer. Yes, we've all heard some of the stupid PHP Nuke exploits, people not quoting their SQL properly ... but should the PHP interpreter developers really be held accountable for other peoples'

Re:

[raju1kabir]

Did you read the interview? These are security bugs in the interpreter itself, not bugs in poorly-written PHP applications.

Re:

[rufus t firefly]

Did you read the interview? These are security bugs in the interpreter itself, not bugs in poorly-written PHP applications.

I understand ; I was complaining about the general dumping on PHP applications which seems to follow any thread with the word "PHP" in it.

Re:

[Bogtha]

people not quoting their SQL properly ... but should the PHP interpreter developers really be held accountable for other peoples' shoddy coding practices?

In the case of SQL injection attacks, definitely yes. They provide add_slashes(), oh, but wait, that's insecure, so they provided mysql_escape_string() instead. Oh wait, that's insecure too, so they provided mysql_real_escape_string() instead. All the while, ignoring the fact that string concatenation is prone to security problems by its very natu

Re:

[SimHacker]

There are many reasons that add_slashes is insecure, and if you think about it, you should be able to come up with a few yourself. Have you ever heard of Unicode? Do you really know what the quoting conventions of your database are, or are you just assuming that add_slashes somehow magically does? Have you even bothered to use google or read any of the many security articles about PHP? Obviously not. And the same goes for so many other PHP developers. They need training wheels and adult supervision, otherw

Re:

[Bastard of Subhumani]

If it's so buggy and insecure, why do so many large (and small, like the one I work for) companies have sites that use PHP

I'm sure there's a fancy Latin name for it, but what you're saying is equivalent to "Eat shit - a billion flies can't be wrong".

Re:

[kestasjk]

I'm a PHP enthusiast with a few servers running PHP apps, and I say bring it on. If such a small team can look for and find so many bugs I doubt a determined attacker would have much problem anyway.
I'm sure that after the dust has settled PHP will be more secure than it was, and that can only be a good thing.

Re:

[mobby_6kl]

I'm sure that after the dust has settled PHP will be more secure than it was ...

That's like saying that the ocean will be more wet after it's been raining for a day than it was before.

NM

[mobby_6kl]

Disregard that post, I should have previewed and read it again before submitting. It actually makes it sound like PHP is the OpenBSD of scripting languages, which is obviously the opposite of the desired effect.

Re:

[lymond01]

Your posts are like the Edgar J. Hoover of Broadway theatre.

Arr? (Scooby-doo head tilt)

Re:

[miyako]

This comment reflects what seems to be one of the biggest misconceptions in computer security. People seem to be under the impression that vulnrabilities are magically conjured into existance when the bugs are made public.
The fact is that the bugs have really been there the whole time, and just because we didn't know about it doesn't mean that some nefarious person didn't know about it.
Now, script kiddies might not know about the vulnrabilities until they are made public, but they are called script kiddi

Re:

[julesh]

This comment reflects what seems to be one of the biggest misconceptions in computer security. People seem to be under the impression that vulnrabilities are magically conjured into existance when the bugs are made public.

Well, yes, but the fact is that there is incalculably higher risk from an unpatched, publicised bug (especially if more than a few weeks old) than there is in an unpublicised one. Almost all exploits occur using well known bugs, even if you discount worms.

Re:great...

[elrous0]

Hey, my un-fashionable use of Perl finally pays off!

[Ducks down and hopes next month isn't the "31 days of Perl Bugs"]

-Eric

Re:

[drinkypoo]

Don't worry, perl is safe. No one can find the bugs through all the punctuation.

Look on the open/bright side.

[kale77in]

The bright side, it seems to me, is that PHP's openness means even if the developers are slack, the bugs can still be disclosed without IP litigation threats.

Also, he's given the developers a week or two of warning before March. If there's anything *that* serious in there, actually known to the developers, the fix could conceivably be ready by the time the bug is announced.

I run PHP sites, and I'd rather see the bugs public and being patched, than known only to the developers (we hope).

Re:

[Mr. Underbridge]

Looks like this will also be "Month-of-me-working-harder-to-make-sure-my-site- i s-patched- and-updated-and-not-exploited-by-script-kiddies"

Well, if the article is to be believed and the PHP team hasn't much cared about some of these bugs, patching and updating won't help you. In any event, these bugs won't be fixed live. So they will result in potential compromise you won't be able to stop, likely.

In other words, this will also be "Month-of-you-getting-bent-over-by-open-security-h oles-in-PHP-you-can'

Re:

[suv4x4]

Looks like this will also be "Month-of-me-working-harder-to-make-sure-my-site- i s-patched- and-updated-and-not-exploited-by-script-kiddies"

You can thank the PHP internals and Zend about this. Having to deal with them at some points, they are literally like having to handle a bunch of spoiled children on a mission to have fun on your expense.

I've said it plenty of times and I'll say it again: PHP is going down, fast. The only reason to use it right now, is because there's still some money to be made from cl

Re:

[rho]

(Much) faster, more stable and more consistent alternatives currently include Mono (C# - an excellent language), Python, Java and possibly Ruby 2.0, from the looks of it.

I hear this a lot. PHP has a massive installed base of working apps. There is no compelling reason to move to a new language simply because it appears to be more secure at the expense of not having functional applications.

Re:

[jZnat]

There is no compelling reason to move to a new operating system simply because it appears to be more secure at the expense of not having functional applications.

Notice the similarities when you replace "language" with "operating system". :O

Re:

[julesh]

Maybe you shouldn't bother with the patches. If you're running any of the well-known PHP software, there's a good change your server has already been compromised by one or more such script kiddies.

I actually persuaded my business partner to authorise a 2-month long project to reimplement all the features we need from phpBB from scratch, rather than use original code, just for this reason. It didn't take much work to convince him that we didn't want the hassle of having to deal with regular [netcraft.com] 0-day [netcraft.com] exploit [astahost.com] sc

Huh

[Anonymous Coward]

I thought every month was PHP Bugs month?

March that never ended

[CortoMaltese]

I hereby declare March 2007 the March that never ended, in spirit of September that never ended [catb.org].

even if...

[cosmocain]

...there are that much holes in PHP (which i don't doubt), mr. esser seems to be on a kind of crusade since he left the security response team.

Re:even if...

[Alphager]

He began his crusade when he founded the security-team: He wants a secure PHP. He left the security-team out of frustration that the main devs didn't care about security (leaving security-critical bugs unfixed for ages). This month of PHP-bugs is his effort to put pressure on the devs to finally make security a priority.

Re:

[Chris_Jefferson]

For many of these bugs he did write code to fix them. However he couldn't get the patches accepted into the PHP mainline.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[moranar]

Maybe he didn't think it would make any difference? Forking PHP wouldn't change the countless developers who don't know nor care about security, the thousands of servers with PHP already there, plus it'd have to get a sizable team to carry it forward. Seriously, if you really want a secure language for the web, you don't stop at PHP.

Maybe what he cared more about was security, not the language.

Re:even if...

[moranar]

Or maybe, just maybe, on reading the article we'd find he did "fork" PHP, through Hardened-PHP and Suhosin. The wonders never cease.

Fork marketing?

[tepples]

So why didn't he fork the project then?

I'm guessing because he lacked the ability to market his fork to the vast majority of shared web hosting providers.

Re:

[gmack]

sure - i understand the frustration that's driving him. and i guess the MoPHPb will wake some folks up, hopefully the devs. but it'll wake up script-kiddies, too. in fact, that's what i fear most, it might only wake up the script kiddies, as the devs didn't seem to care in the past and that leaves more than thirty unpatched publicly documented security holes and a few folks, who need to run php. what a lot of fun...

The script kiddies are already awake. The probes for PHP vulnerabilities are getting mor

Re:

[gmack]

No.. it's a good thing. PHP apps are now the most common means of gaining a remote shell on Linux and as a sysadmin I have to constantly worry about what PHP code some customer installed can allow some attacker to break into my server. PHP allows some things it really shouldn't.. take includes on a variable for instance a few months back we had a machine spewing DoS attempts and the admin in charge of the box couldn't figure out how the attacker got a shell. The culprit? Some programmer used a variable

Re:

[M. Baranczak]

This "feature" was used for passing request parameters into the script. So there was a legitimate need for it, it was just implemented in a really bone-headed way, since it allowed the overriding of local variables if you weren't careful. This was fixed in version 5 - unfortunately, this meant breaking backwards compatibility, since most older scripts relied on the old way of passing parameters. So a lot of servers out there (I'm assuming yours is among them) are still stuck using PHP 4.

I wanted to like PHP

Re:

[julesh]

This "feature" was used for passing request parameters into the script. So there was a legitimate need for it, it was just implemented in a really bone-headed way, since it allowed the overriding of local variables if you weren't careful. This was fixed in version 5 - unfortunately, this meant breaking backwards compatibility, since most older scripts relied on the old way of passing parameters. So a lot of servers out there (I'm assuming yours is among them) are still stuck using PHP 4.

Strange. I have a s

Hear, hear.

[cortana]

An anonymous coward said some time ago,

When I looked at Zend's introduction to PHP, the first sample PHP program was Hello World, and the second was a cross-site scripting vulnerability.

Re:

[julesh]

PHP allows some things it really shouldn't.. take includes on a variable for instance [...] I mean really.. what legitimate reason is there for that "feature" in the first place?

1. Define in a config file a variable that specifies the location of your code, e.g.:

config.inc:
$modulebase = "/usr/local/lib/mypackage/2.3.11/modules";

In the rest of the code:
include ($modulebase . "/file_you_need.inc");

Then, you can upgrade versions of the modules by installing a new version in a new directory, and switching the

Blatant Self-Promotion

[Ron Harwood]

This stinks of self-promotion. Calling something a "Month of PHP Bugs" does nothing to improve PHP's reputation. It sounds spiteful, in fact.

Yep. Everything he writes on this topic is along the lines of:

-They all suck.
-I'm the greatest.
-They're all out to get me.
-The fools, the laughed at me at the institute.
-You aren't taking me seriously! I've fixed everything in my personal extension to PHP and you keep breaking it by changing the language!

etc... etc...

I don't know what he thinks he's going to accompli

Re:

[tobiasly]

This stinks of self-promotion.

Of course it's self-promotion. Why does the guy stick his picture on the front of the article?

Attention geek bloggers: You are not attractive. Stop [networkper...edaily.com] posting [securityfocus.com] pictures [zdnet.com] of your dorky [zdnet.com] looking [businessweek.com] selves [pcmag.com] at the top of your blog.

It doesn't make you look like a real journalist, it just makes you look like a tool.

(Note: in case you're wondering how I got so many pictures to prove my point, I simply looked up the fud tag [slashdot.org] on Slashdot and started clicking away :)

Re:

[nasch]

Attention geek bloggers: You are not attractive. Stop [networkper...edaily.com] posting [securityfocus.com] pictures [zdnet.com] of your dorky [zdnet.com] looking [businessweek.com] selves [pcmag.com] at the top of your blog.

Some searching, however, came up with these.

Top 10 Blogger Babes [gizmodo.com]

Gamer chick (don't know if she's actually a blogger) Morgan Webb [google.com]

i suggest for next month

[Anonymous Coward]

month of PCP bugs. i see them all over my skin and i can't scratch them off! SOMEONE HELP ME

Two words:

[T-Ranger]

Scratch harder.

Partially surprising

[Anonymous Coward]

I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.

PHP is a disgrace to the open source community.

[Anonymous Coward]

It's amazing, but the PHP team are worse than Microsoft ever were with security.

This is very true. And also very unfortunate. When it comes to many managers, PHP has given the entire open source community a bad name. This is mainly because it has been repeatedly pushed as being part of the LAMP suite, when in fact Python and Perl are far better options for the 'P'. So when you recommend the use of Linux, Apache or MySQL, they automatically think of PHP, and recall how terrible its security is. And then they associate that lack of security with Linux, Apache and MySQL, even when that's not the case!

If there's one thing the open source community as a whole should do, it should be to disown PHP. Responsible open source developers and projects need to just stop using it for their web sites. It'd be good if more things like this Month of PHP Bugs were held, just to show the public that the OSS community knows that PHP is terrible, and wants to do something about it. The longer we continue to use PHP, the harder it will be to repair the reputation of even completely unrelated (and far more secure) open source projects.

Re:PHP is a disgrace to the open source community.

[archen]

The problem with PHP is that it's very easy. One of the supposed advantages of Lamp is that it is also rather easy to set up and work with. I've seen more projects than I would care to, where the programmers couldn't code their way out of a paper bag but managed to accumulate a surprisingly functional mass of PHP spaghetti code. Perl is a good option only if the coders are disciplined, and having good structure is critical for a good Perl project. I don't have any experience with Python, but due to the nature of python language structure, you'll never be able to embed it the way you could with PHP (templates are necessary here as well).

One of the problems with PHP is the fact that when the bar of entry is so low, you get a lot more low bar people actually coding it. It's become the next generation of VB garbage. The language is only half of the security problem (a half we could better do without, but still).

Re:

[julesh]

I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.

I'm not surprised. Their attitude to bug reports in general is pretty hostile. See, for instance, this [php.net]

For once

[Timesprout]

I am actually glad to see one of these xxx month of bugs. Personally I have always thought PHP to be a steaming pile of poorly thought out garbage but there is no denying its popularity despite its flaws. Anything that actually helps the meme 'most php flaws are caused by poor programmers' actually become a reality by improving the core security of the language is therefore to be welcomed.

Re:

[jimicus]

Anything that actually helps the meme 'most php flaws are caused by poor programmers' actually become a reality

Most flaws in any code are caused by poor programmers. It's possible to write clearly structured, well laid out code in BASIC (no, not visual BASIC, the real thing), as most implementations support things like local variables and procedures. It's just exceptionally rare.

This is why so many computer science degrees (at least until recently in the UK) used Modula-2 or Pascal as their primary teachi

Re:

[mstone]

To be fair, Pascal was originally designed as a teaching tool and to match the real-world value of say, C, you have to bolt on some extensions. That works, but it's less than perfect.

The Modula family of languages, OTOH, are way cool.

Re:

[rho]

Personally I have always thought PHP to be a steaming pile of poorly thought out garbage but there is no denying its popularity despite its flaws.

A critical thinker will look at those two clauses and derive some wisdom. PHP is not "poorly thought out", it changes to meet the market's needs. Java was very well thought out, but it's mostly popular with big shops where you can hire a guy for $70,000/year to maintain a tiny little bit of a larger program. PHP is very popular because it allows a single person

Re:

[drinkypoo]

PHP is very popular because it allows a single person (or a small group) to make functional applications quickly and easily, with a lot of flexibility.

So does ASP. In fact, ASP is easier in a lot of ways, and has MORE flexibility (supports any ISAPI language, including vbscript (yuck), perl (whee), php (hello month of bugs!), python, blah blah blah.

PHP is popular because it's free and Free and lets one person write a very simple/stupid dynamic webpage very easily. Unfortunately, it seems that when you get

Install modsecurity

[HxBro]

I recently installed modsecurity http://www.modsecurity.org/ [modsecurity.org] for apache along with the rules from http://www.gotroot.com/ [gotroot.com] and it's done a good job of blocking attacks on my server including a lot of the php mail() injection attempts, whilst it has shown up a few false positives like someone posting a message with sql keywords e.g. "select" "from", it is certainly worth installing even if you have to monitor the logs for a bit afterwards to watch for the false positives and alter the rules accordingly.

Whilst it probably won't solve a lot of the problems with php and security it does help protect the server especially when you don't have control over what your users are uploading to their web space.

Are bugs the problem?

[cerelib]

I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code(especially when using the mysql module). Also at fault is the general lack of programming understanding by the amatuers who find their way to PHP because it is so easy to go from having a static HTML page to a dynamic PHP page. Are there a lot of vulnerabilities in the interpreter?

Re:

[CodeShark]

Poor code writing and a failure to integrate known fixes is the problem. For example, code/modules developed by the Hardened PHP project referenced earlier has fixes many of the known vulnerabilities, and in general PHP 5.X is much more secure than prior versions.

Personally while I don't necessarily like all the work I have to do when there is a "bug exposure" in the media for tools I am using -- like PHP -- I don't have time to track everything let alone fix them, this "month of bugs" won't affect me as m

Re:

[poot_rootbeer]

I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code

Or even more likely, how easy it is to download and run insecure code written by some other lousy programmer. It's not the people who are writing their own CMS systems that are getting haxor'd, it's the people who grabbed a copy of PHPNuke and threw it up there on the 'net.

Wait...

[kahei]

Only a month?

Ha ha, yes, thank you, I'll be here all week, bringing predictable yet mildly amusing banter. In fact, I'll be here all year. The whole of my life, probably. *breaks down and cries*

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[julesh]

If he really wants to make a difference, he should fork PHP and really fix up the language and interpreter to his liking.

Err... he has [hardened-php.org].

Sometimes I think people don't read the articles.

Then I remember I'm reading slashdot.

Coming in April

[bill_mcgonigle]

"Month of Shooting Fish In a Barrel"

At least the Month of Apple Bugs was a hard target to go after.

A Couple Easy Precautions

[corychristison]

I've been running PHP for some time now, I try to use the latest and greatest, but sometimes I am a little behind.

Here are a few simple precautions for PHP configuration:

• Do not(!) install cURL. I know it is useful, but has a lot of security problems!
• Disable register globals [default as of 4.2.0]
• Safemode is worthless and a little too restricting, use OpenBaseDir.
• disable_functions = exec,system,passthru,shell_exec,proc_open,proc_clo se,proc_terminate,proc_nice,proc_get_status (may be more, off the top of my head :-)

These are what I can think of off the top of my head. This allows full compatability with all major scripts [mostly due to not using SafeMode] but still holds a fair bit of protection from people executing scripts and pushing them to run in the background. Had this happen to me a few years ago. I was hosting someone as a favour, and I'm not sure if they did it, or they were running some crappy code and it was exploited. Either way, their account was suspended.

This is going to be fun

[lewp]

I'm going to need enough popcorn to last... March.

Slashdot, give it a rest!

[AutopsyReport]

If you teach a man to fish with a rod, he won't immediately know a better way to catch more fish. The idea of using a mesh net to catch more fish at once will not be apparent to him -- it will take time. A man and his tools are departed only when he finds something better for the job.

So let's apply this concept to learning in the PHP community. For years, PHP developers (newbies, amateurs, and experts alike) have been handed down wisdom that reflected the current knowledge. Years ago, it was using regist

Re:

[AutopsyReport]

Blaming PHP for being insecure / providing insecure tools is more like blaming auto manufacturers for cars that explode themself.

When was the last time you installed PHP and it "exploded" on you? As I said, give it a rest.

Yes, this _is_ unethical

[DigitAl56K]

"At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical."

Maybe. But to take more than 31 bugs and disclose them a day at a time so that in effect major web-facing infrastructure for big business and home users alike will have no chance at all of being secured during this entire window, all for the purposes of publicity?

Re:

[clawoo]

Not to start a little argument over PHP and Python, but you're comparing apples with oranges here. You are saying that PHP is insecure, its semantics are undesirable and so are its standard libraries, database interfacing, interpreter and performance, and then you come along saying how awesome Django is, disregarding that actually you're comparing a language with a framework.

There are a handful [cakephp.org] of decent [xisc.com] PHP frameworks [symfony-project.com] out there, with others coming along [zend.com], which you can take and compare with Django, but

Re:

[xtracto]

Well, I do not have a lot of experience with PHP (only some typical unsecure LAMP tests) but after looking what they did with mysql_real_escape_string() [php.net] and mysql_escape_string() [php.net] I agree with GP. What kind of programming language is that? what the heck does REAL is supposed to mean?

I have programmed in PHP and C#/VB.NET for web forms (back when .NET was just out) and I can tell you that even there, the microsoft product was better than PHP. One of the things I dislike about PHP and I liked about the WebFor

Re:

[julesh]

after looking what they did with mysql_real_escape_string() and mysql_escape_string() I agree with GP. What kind of programming language is that? what the heck does REAL is supposed to mean?

It's a backwards compatibility hack. When they implement mysql_escape_string, the MySQL C API didn't need a connection object to the server to perform quoting, it just did it locally. Some advanced features were added in later MySQL versions, and a connection to the server is now needed in order to know what character

Re:

[julesh]

One more thing:

One of the things I dislike about PHP and I liked about the WebForms .NET approach is the separation of the interface with the functionality which allowed us to create a real multi tier application. I have not programmed "for real" web applications for some time but as far as I know it is not possible to do that sepparation with PHP.

As somebody who has written a 3-tier web application in PHP for a well-known multinational company, I can assure you that tier separation is not only possible in

Re:

[julesh]

Have a back end program that doesn't produce any HTML output. Have it produce a data structure that describes the information to be embedded in the page, along with the name of the template to embed the data into. More complex schemes may be necessary for some apps, but this suffices for most. Serialize this data structure (you could use any appropriate data serialization format, I generally use simple XML schemes)

Write a front end program that takes the user's request parameters and parses them, selects

Re:

[julesh]

Do not let it execute inside web pages. X server pages is bad. Take PHP outside of web pages altogether. Good PHP programmers should be using Smarty templates anyways.

One way of looking at PHP is that it is an extremely powerful templating language. That's the job it was designed to do in the first place, anyway. So why not write your back end in a more powerful language and just do a quick front end templating job in PHP that takes those results and slaps them into a web page.

Oh, right, the reason not to

Re:

[julesh]

Hmmm... The munged PHP code from my post was:

    (lack of quotation marks deliberate)

and

    (addition of quotation marks also deliberate)

Re:

[42forty-two42]

Still munged I'm afraid.

Re:

[FreakTrap]

$a = array (1, 2, 3, 4);
foreach ($a as &$b) $b++;
foreach ($a as $b) $b++;
print_r ($a);

It is increment twice because after the first loop, $b is still a pointer to the fourth element of $a. Continuing in the code, the second loop will assign the fourth value of $a each value of $a, then increment it. Try debugging it like so:

$a = array (1, 2, 3, 4);
foreach($a as &$b){
$b++;
}
print_r($a);
foreach($a as $b){
print_r($a);
$b++;
print_r($a);
}
print_r($a);

... and you will see what it is doing. S

Re:

[julesh]

Do we need a month dedicated to every application that has bugs in it? Because I'm pretty sure our sun will have imploded by then.

Suns normally explode. Only IBM Netfinities implode.

Oh, right. You meant... never mind.

Re:

[julesh]

I'm not a programmer and never will be, so "Code your own!" doesn't work for me. If PHP is really so insecure then what are realistic alternatives?


Right now, they're very few and very far between. You could look through sourceforge projects in the Internet/WWW category with the filter 'excluding programming language PHP' applied.

The problem is that so much stuff was implemented in PHP in the late 90s/early 2000's that just about every hosting service went out and installed it. This led to a positive feedb