A Month of PHP Bugs

You might recall that back in December 2006, Stefan Esser resigned from the PHP Security Response Team in disgust. At the time, Esser said that "any attempt to improve the security of PHP from the inside is futile.... The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin."

Suhosin is of course a fantastic patch for the PHP source code that makes it far more secure than it is without the patch. If you haven't read about Suhosin, you can do so at the URL below.


In response to Esser leaving the PHP Security Response Team, Zeev Suraski wrote that he'd "like to take the opportunity, again, and ask Stefan to come back to \[the\] security team, and work with the project and not against it. As any project that has hundreds of people contributing to it, you never find yourself in agreement with everyone at any given time. It doesn't mean that those who don't think exactly like you are your 'enemies,' and it certainly doesn't mean you should quit and turn to the 'other side.'" It seems to me that if Suraski is serious about wanting Esser back, then he could have gone without the two less-than-subtle digs at Esser.


So far, Esser has not returned to the team, and earlier this month, he declared that he's going to launch a "Month of PHP Bugs." He's now decided that March 2007 will be the month to do that. As is the trend, every day for the month of March, Esser will post about at least one bug in PHP. You can read more about it at the URL below.


PHP is widely used, and many of you undoubtedly have it in use on your systems. You should probably keep an eye on Esser's Web site in March to learn of the newly disclosed PHP bugs so that you can take action to defend your systems. The latest versions of PHP are 5.2.1 and 4.4.5, both released in the second week of February 2007, so be sure you're using the latest version.

You should also seriously consider integrating the Suhosin patch as soon as you can--if you can. Unfortunately, no precompiled package of PHP that includes Suhosin seems to be available, so you're on your own and will need to compile the patch yourself.



Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.