. Updated Daily. Editions SDA India   SDA Indonesia
JAX Asia 2008 - Conference for Enterprise Java, SOA, Spring, Web Services, Ajax, Agile and more
BUSINESS ENTERPRISE SOLUTIONS ARCHITECTURE INFORMATION SECURITY WIRELESS & MOBILITY DATA & STORAGE DEVELOPMENT HARDWARE













News

Saturday, 10 February 2007

Overview of Month of PHP Bugs and PHP 5.2.1
 

 

Stefan Esser talks about Month of PHP Bugs and PHP 5.2.1 over at the PHP Security blog. He informs you that the Month of the PHP Bugs is chosen and it will be March. So, he will be post information about one or more vulnerabilities within PHP in March.

He talks about the recently released PHP 5.2.that fixes some of the bugs, which he will cover in the ‘Month of PHP Bugs’. He comments about the release announcement of the PHP 5.2.1 and says that though it gives a list of the bugs fixed but it gives little information about the bugs. Also, he says, it describes several bugs wrongly, forgets some security bugs that were fixed, downplays the seriousness of the bugs and does not give a single line of credit.

He shows concern that there is no hint anywhere that the security bugs listed were as usual reported by third parties. The release announcement like before tries to make it look like all of the bugs where found by the PHP developers themselves, who have no problem to credit themselves in the Changelog for the little fixes they committed. But the original reporters that actually did the work of finding and reporting the vulnerability and that are therefore responsible for the additional security of the PHP community are not mentioned with a single line.

Stefan says the latter is the reason why most of the security vulnerabilities in PHP are found by the ‘Hardened-PHP Project’. There is absolutely no benefit for a security researcher to disclose vulnerabilities in PHP. Security vulnerabilities in PHP are far more worth when kept private and sold to third parties, he says. He reasons out that if the list in the PHP 5.2.1 release announcement would be complete and would give proper credit it would be obvious to everyone that nearly all vulnerabilities in the list were actually reported by the Hardened-PHP Project and are not the work of the PHP developers.

He further informs you that during the ‘Month of PHP bugs’ it will be demonstrated that the ‘added internal heap protection’ in PHP 5.2. does not stop the exploitability of lots of vulnerabilities at all.
 

Read the Post

 
 
print save email comment

print

save

email

comment
 
 

Search SDA Asia

Free eNewsletter
SDA Asia Magazine Free Download
 
 
 
Copyright @ 2008 SDA Asia Magazine - All Right Reserved Privacy Policy | Terms of Use