Former PHP security team member Stefan Esser has launched a Month of PHP Bugs by posting five vulnerabilities.
The point of the Month of PHP Bugs is to demonstrate that PHP isn't as secure as it could be if the PHP core language developers adopted different processes of inspecting and rolling out new versions of PHP. Esser said that all the bugs to be posted this month will pertain to the core PHP engine itself and not to applications based on PHP. Application developers often write PHP application code that's exploitable.
Of the first five vulnerabilities posted, two could cause a system crash, one could cause maximum CPU usage thereby creating a Denial of Service (DoS) condition, and two can be exploited to cause data overflow conditions. Proof of concept code was posted for the two overflow vulnerabilities in an effort to curb the potential claim that the bugs aren't exploitable. No such proof is necessary for the other three vulnerabilities.
According to details published by Esser, two of the vulnerabilities are already fixed in the current 4.x and 5.x versions of PHP, and three will likely go unfixed due to the PHP developers' preferred operational characteristics for PHP. Esser said that a possible workaround for two of the latter three vulnerabilities would be to integrate his Suhosin security patch for PHP. The remaining vulnerability can be fixed by specific coding practices when developing PHP applications.
