"Month of PHP bugs" initiative

Rudy · 02-22-2007, 05:35 PM

Hey folks,
I'm wondering how many of you are aware of this, and what you are thinking about doing with your code as a result. What security measures are you going to take, etc...? I'd also be interested in hearing more about this if anyone has more information. I was first told about this earlier today by our main PHP developer here at the school I attend (I'm a sophomore in college right now).

This is important stuff to be aware, so if this is the first time you've heard about it, make sure to read below, and follow the link, and do your own research. Security is important, friends.

Here's what I read on Slashdot:
"Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March."

Quote:

Originally Posted by Stefan Esser

We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed.

Source: http://developers.slashdot.org/article.pl?...18&from=rss

- David

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)