Published on 2007-02-22 16:00:24

Slashdotted, As previously announced in an interview with Stefan Esser, March 2007 will be the month of PHP Bugs. A new initiative which goal is to make PHP more secure and discuss with more transparency the security issues related to PHP.

We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed.

• Stefan Esser retired from PHP security team
• Securing PHP Applications
• Serious Gmail Vulnerability discovered
• Will PHP Be More Secure On March 2007 ?

• Drowning in Debt? Get Out Quickly
• [Contact us]

Member of the PHP Magazine Network, Copyright (C) 2005-2008 phpmagazine.net All Rights Reserved