PHP Group accused of security incompetence

PHP developer Stefan Esser has said he will go ahead with plans to disclose dozens of security flaws in PHP in March, hitting back at criticism that the "Month of PHP bugs" project is nothing more than dangerous, self-serving publicity.

The problem isn't irresponsible disclosure, but the sluggishness of the PHP team in fixing serious problems, Esser contended. He has first-hand experience with the PHP security process having created both the Hardened-PHP Project and the PHP Security Response Team, which he left acrimoniously in December.

Esser's argument is that PHP itself - as opposed to the numerous web applications written in the language - contains serious bugs, and that this fact isn't well-enough understood.

"Remote File Inclusions, vulnerabilities due to register_globals or other problems within the PHP engine... are fully to blame on the PHP language," he said in an interview with security website SecurityFocus. "Unfortunately this kind of thinking is not appreciated by the PHP developers, and they continue to claim that PHP is no worse than other languages."

He accused members of the PHP development team of ignoring security bugs he had submitted to them. "At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical," he said, according to the site.

He said PHP 5.2.1, released earlier this month, fixes some of the problems he reported to the PHP Group, but also highlights the problems with the way PHP security is managed. "As usual the release announcement gives too little information about the bugs, does describe several bugs wrongly, forgets some security bugs that were fixed, downplays the seriousness of the bugs and does not give a single line of credit," he said in a blog entry.

Zeev Suraski, co-creator of PHP and chief technology officer of Zend, which manages PHP development, said the "Month of PHP bugs" is likely to harm PHP, and urged Esser to rejoin the fold of the PHP Group.

He said much of the bad publicity around PHP security is due to problems with applications written in PHP, or problems with PHP that have made it easy for developers to code insecurely. He admitted that PHP itself has problems, but said the language is no more insecure than any other.

"Yes, there are security problems in PHP," he said in a blog entry. "I can hardly think of any other project in such a scope and of a similar nature that doesn't have security problems in it, at the same rate (give or take) as PHP. I believe we've had an excellent track record at fixing remotely exploitable problems and coming out with fixes immediately, and there haven't been that many of them either."

He said that Esser's project will create more problems than it solves, and urged Esser not to "turn to the 'other side'". "I'd like to take the opportunity, again, and ask Stefan to come to come back to security@ team, and work with the project and not against it," he wrote.