Paid Advertising
web application security lab

Month Of PHP Bugs

Well the month of PHP bugs is fast approaching. If you haven’t been following Stefan Esser’s blog and you run PHP, read this now. Over a 31 day period, starting next Thursday (March 1st), Stefan plans to release one or more vulnerabilities each day in PHP (not particular applications but the underlying language itself). He didn’t comment on if he would give demonstration code or exploit particular applications directly. That’s the bad news.

The good news is that apparently PHP 5.2.1 fixes some of the issues that Stefan will be disclosing. Further, Stefan is the same guy who wrote Suhosin which is a patch for PHP to secure it. My gut tells me Stefan will keep Suhosin up to date, but I have no proof of this. My gut tells me if you run PHP, and if you haven’t updated PHP lately and you don’t run Suhosin, you are in for a rough month. Time to patch up!

8 Responses to “Month Of PHP Bugs”

  1. Jungsonn Says:

    Suhosin also can prevent unknown vulnerabilities, that’s the coolest part.

    But really, my experience with hosting (i’ve been in this field a couple of years) they don’t upgrade to it that much as you want them to. Mainly their argument goes; “Well, PHP5… it’s new. it has to prove itself first” and I can agree on some level with them. You never know the “new” bugs which are not found yet, on an earlier version; you know your enemy, and can patch that or turn those features of in the php.ini

    If I may speak for myself; I don’t upgrade. I have a PHP 4.x but mainly I never use much from it. The most fixes in the newest PHP versions are mainly serverside issues which could be exploited by users which already have access to the server itself.

    But, if anyone want to upgrade; it’s always a good idea! :)

  2. .mario Says:

    I am running suhosin for moths and i am pretty content - looking forward to march 07…

  3. Christ1an Says:

    I’d never run PHP without the Suhosin patch! And Jungsonn, the vulnerabilities are not unknown. The point is that the PHP group needs months to fix them, which is one of the reasons (not the main) why Stefan retired.

    Anyway, as I already mentioned on the forum, march will be very amusingly.

  4. Ilia Alshanetsky Says:

    While Suhosin is a great tool for improving security of PHP application it wouldn’t have saved you from some of the security issues resolved in PHP 5.2.1. So, regardless of Suhosin you should upgrade your PHP version.

  5. Stefan Esser Says:

    Yes PHP 5.2.1 and PHP 4.4.5 fix some of the MOPB vulnerabilities.

    They even fix more bugs than you can see from the changelog. The release announcement “forgets” to mention several vulnerabilities that were also fixed. Including one that opens up PHP applications to remote code execution exploits.

    However at some point I stopped disclosing the rest of the bugs to the PHP Security Team, because Zend people were publically saying on the PHP internals mailinglist, that they do not know of any security holes in current PHP. Which is actually the usual enterprise marketing nonsense. They define current PHP as the current CVS snapshot that already contained the fixes. However it took as usual months until the normal user got notified about these fixes.

    Time enough for all the skript kiddies in the world to ready their exploit code after their CVS watching script alerted them about the commit.

    Furthermore I stopped disclosing those bugs to them because they have a habit to label the bugs with their own names. Best example is how Rasmus claimed on internals that there were practically no remote exploits in PHP’s past and that “THEY” made PHP more secure by providing allow_url_include (a totally broken solution).

    Without my kick in the ass through my blogposting (that resulted in Nuno calling me an immoral traitor for talking about PHP security holes in public), allow_url_include would still be not worth anything. But of course it was “THEM” who made PHP more secure…

  6. Stefan Esser Says:

    Ohh btw, you should only upgrade to PHP 5.2.1 or PHP 4.4.5 if you are prepared to break your sites.

    Both releases introduced crash/script termination bugs that break sites. Another reason why PHP needs security only fix releases.

    The irony of this is that PHP 5.2.1 was broken because perfectly secure code was changed all over the place to use safe_emalloc() instead of emalloc(). During this pseudo security improvement atleast in one place safe_emalloc() was called in a wrong way, that resulted in a totally not necessary off-by-one overflow.

  7. Ilia Alshanetsky Says:

    Stefan that break that you mention in 5.2.1 affects a single function that is quite rare, you are exaggerating the issue there.

  8. MustLive Says:

    This is interesting project. And Month Of PHP Bugs was made the month - it was the main event of the March. Well done, Stefan :-).

    I hope that security level of PHP will rise.

    And I want to tell you that I also planning my own Month of Bugs. I was planning it from beginning of March - it would be very interesting event ;-). There will be more information soon.