March, the Month Of PHP Bugs, Gets Moving
The Month of Apple Bugs and the Month of Browser Bugs inspired the Hardened-PHP Project to declare March as the Month of PHP Bugs or MOPB to highlight the security flaws in the core PHP software. The MOPB Project was introduced in the first week of March.
PHP is generally used to script language employed most commonly to design dynamic web pages. On March 3, 2007, the Security Response Group of the PHP wrote on weblog.infoworld cataloging the bugs that they would not concentrate on issues in the PHP language, which might lead to unsafe PHP applications, but in security flaws in the PHP core.
Stefan Esser, Developer for the PHP Security Response Team, commenced his MOPB Project with eleven bugs in five days, including a previous vulnerability in a new edition of PHP and many known bugs he says probably will not be fixed ever. PHP bugs consist of a range of vulnerabilities of different seriousness, from common DoS (denial of service) to remote exploitation, together with proof-of-concept exploit code, in many cases.
Esser and his associates published 8 vulnerabilities in the March's first three days, followed by next three on March 4 and 5, respectively. Esser, on March 6, 2007, wrote on the Website as reported by Computerworld that unlike similar but unlinked projects like the Month of Apple Bugs and the Month of Kernel Bugs, they don't force the limit of one-flaw-per-day upon themselves.
The issues, which will comprise the MOPB Project, consist of inappropriate permissions, stack overflows, and string buffer overflows, just as seen in earlier projects of 'Months'. Some cause DoS conditions or crashes, while others allow the privilege hike and other troubles. Proof-of-concept exploit is given where appropriate, as said the Security Response Team of PHP and reported by the iTWire on March 6, 2007.
A cross-site scripting vulnerability (bug # 8) was revealed in October 2005, patched, but then reintroduced in PHP 4.4.3, said Esser.
The MOPB Project has its focus on PHP standard distribution, but Esser added two 'bonus' bugs which impact the Zend Platform that operated on a web server to monitor PHP applications and reporting on performance and possible trouble.
Related article: March Witnessed Sharp Rise in Spam
» SPAMfighter News - 19-03-2007