März zum Monat der "PHP-Bugs" ernannt

Posted on Februar 9th, 2007 No Comments »
März zum Monat der "PHP-Bugs" ernannt

Stefan Esser hat den März zum Monat der "PHP-bugs" ernannt. Im PHP-Security-Blog möchte er jeden Tag über PHP-Bugs und aktuelle Sicherheitslücken berichten.

Aus dem PHP-Security-Blog:

You might have heard about it from different places already. The Month for the "Month of PHP bugs" was choosen and it will be March. This means I will post every day in March information about one or more vulnerabilities within PHP.

Today PHP 5.2.1 was released which fixes some (but not all) of the bugs I will cover in the "Month of PHP bugs". Actually the release announcement already gives a list of bugs that were fixed. As usual the release announcement gives too little information about the bugs, does describe several bugs wrongly, forgets some security bugs that were fixed, downplays the seriousness of the bugs and does not give a single line of credit.

You will not find any hint anywhere that the security bugs listed were as usual reported by third parties. The release announcement as usual tries to make it look like all of the bugs where found by the PHP developers themself, who have no problem to credit themself in the Changelog for the little fixes they commited. But the original reporters that actually did the work of finding and reporting the vulnerability and that are therefore responsible for the additional security of the PHP community are not mentioned with a single line.

The later is by the way the reason why most of the security vulnerabilities in PHP are found by the "Hardened-PHP Project". There is absolutely no benefit for a security researcher to disclose vulnerabilities in PHP. Security vulnerabilities in PHP are far more worth when kept private and sold to 3rd parties. Actually if the list in the PHP 5.2.1 release announcement would be complete and woule give proper credit it would be quite obvious to everyone that nearly all vulnerabilities in the list were actually reported by the Hardened-PHP Project and are not the work of the PHP developers.

Ah and before I forget. During the "Month of PHP bugs" it will be demonstrated that the "Added internal heap protection" in PHP 5.2.1 (unlike the one within the Suhosin-Patch) does not stop the exploitability of lots of vulnerabilities at all.

Den Origanalbeitrag findet ihr HIER.


By admin Filed under: PHP-News






XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



Blogroll

Lorem ipsum

These 3 boxes are widgets and can be edited through the admin page, just like the sidebar.

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Impressum