Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

PHP Group accused of security incompetence

'Month of PHP bugs' designed to show that PHP security is even worse than supposed, developer says.

Article comments

PHP developer Stefan Esser has said he will go ahead with plans to disclose dozens of security flaws in PHP in March, hitting back at criticism that the "Month of PHP bugs" project is nothing more than dangerous, self-serving publicity.

The problem isn't irresponsible disclosure, but the sluggishness of the PHP team in fixing serious problems, Esser contended. He has first-hand experience with the PHP security process having created both the Hardened-PHP Project and the PHP Security Response Team, which he left acrimoniously in December.

Esser's argument is that PHP itself - as opposed to the numerous web applications written in the language - contains serious bugs, and that this fact isn't well-enough understood.

"Remote File Inclusions, vulnerabilities due to register_globals or other problems within the PHP engine... are fully to blame on the PHP language," he said in an interview with security website SecurityFocus. "Unfortunately this kind of thinking is not appreciated by the PHP developers, and they continue to claim that PHP is no worse than other languages."

He accused members of the PHP development team of ignoring security bugs he had submitted to them. "At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical," he said, according to the site.

He said PHP 5.2.1, released earlier this month, fixes some of the problems he reported to the PHP Group, but also highlights the problems with the way PHP security is managed. "As usual the release announcement gives too little information about the bugs, does describe several bugs wrongly, forgets some security bugs that were fixed, downplays the seriousness of the bugs and does not give a single line of credit," he said in a blog entry.

Zeev Suraski, co-creator of PHP and chief technology officer of Zend, which manages PHP development, said the "Month of PHP bugs" is likely to harm PHP, and urged Esser to rejoin the fold of the PHP Group.

He said much of the bad publicity around PHP security is due to problems with applications written in PHP, or problems with PHP that have made it easy for developers to code insecurely. He admitted that PHP itself has problems, but said the language is no more insecure than any other.

"Yes, there are security problems in PHP," he said in a blog entry. "I can hardly think of any other project in such a scope and of a similar nature that doesn't have security problems in it, at the same rate (give or take) as PHP. I believe we've had an excellent track record at fixing remotely exploitable problems and coming out with fixes immediately, and there haven't been that many of them either."

He said that Esser's project will create more problems than it solves, and urged Esser not to "turn to the 'other side'". "I'd like to take the opportunity, again, and ask Stefan to come to come back to security@ team, and work with the project and not against it," he wrote.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *