Researcher launches Month of PHP Bugs

By Joris Evers
Staff Writer, CNET News.com Published: March 2, 2007 9:15 AM PST

Tools

Related Stories: The good and the bad of bug campaigns
January 4, 2007; QuickTime zero-day bug threatens Macs, PCs
January 2, 2007; Attack code out for new Apple Wi-Fi flaw
November 1, 2006; Security expert dubs July the 'month of browser bugs'
July 5, 2006

A security researcher has kicked off a project to put the spotlight on flaws in the widely used PHP scripting language.

The initiative, dubbed "Month of PHP Bugs," started on Thursday. Five vulnerabilities have so far been disclosed, several of which could allow a system running PHP to be compromised, according to the project Web site.

"This initiative is an effort to improve the security of PHP," Stefan Esser, a noted PHP security expert, wrote on the project Web site. The bug releases will focus on vulnerabilities in the PHP core, not on problems in the PHP language that might result in insecure PHP applications, he wrote.

PHP, which originally stood for Personal Home Page, is a popular scripting language used to create dynamic Web pages. Applications written in PHP accounted for 43 percent of the total vulnerabilities reported in 2006, according to a tally by Security Focus, a security news Web site.

The Month of PHP Bugs is backed by the Hardened-PHP Project, which was launched by three German security researchers in 2004. "You should consider the Month of PHP Bugs a result report for just another audit we did on PHP," Esser wrote.

Contrary to other "month of" bug projects that have been launched over the past months, the PHP effort will not only feature new bugs. Some may have already been patched, according to the project Web site. Also, many of the bugs will already have been reported to the PHP security team, the site notes.

The Month of PHP Bugs follows similar projects that highlighted bugs in software for Macs, kernel-level software and Web browsers. In all cases, the researchers behind the efforts said they wanted to improve security. Flaws that are publicly disclosed will get fixed quickly, they assert.

More from News.com on this story's topics: Security
Create an email alert | RSS feed; Flaws
RSS feed

See more CNET content tagged:
PHP, scripting language, researcher, bug, project

Add a Comment (Log in or register) 2 comments (Page 1 of 1)

Stefan Esser
by kailash badu March 2, 2007 12:00 PM PST: Tge gyy who is publishing the bugs actually also runs Hardened-PHP project which is backing this initiative. Actually, the guy provides a php security product, suhosin, which actually patches security bugs in PHP, via Hardened-PHP product. Also to be noted is the fact that he has recently fallen out with core PHP Team that is responsible for developing PHP. He quit the team follwing the tussle.; Reply to this comment

Microsoft should learn and follow suit
by wbenton March 7, 2007 6:33 AM PST: Such an initiative should have been implemented by Microsoft several years ago too.

In fact... even if they implement it today... even though it's quite late in the game... it will be for the benefit of everybody... including Microsoft themselves.

But they prefer to better spend their money paying of somebody $12 Million for infringing on their copyright rather than spend only a small amount of that to upgrade their OS base products.

Walt; Reply to this comment