Why I don't fear the Zend Framework

Sunday, November 13. 2005

Sunday, November 13. 2005



Until today there have been a lot of blog postings about the Zend Framework. People love or hate it for their own special reasons. I personally think that everyone who works on it should really consider what he does by signing the CLA and working on it. The message he gives is, that Zend is right in communicating the Zend Framework as a must, because all other frameworks are by definition bad and untrustworthy, because they are only developed by a bunch of open source geeks and there is no company in control. I seriously dislike this kind of message, because it is simply not true. I have released lots of security advisories and dealt with lots of vendors during the last 6 years. The worst security contacts were either when the project was developed by 16 year olds or when there was a company behind the project. These companies usually consider security holes as very bad publicity and always try to downplay the impact.


On the other hand one must see what a framework, which is used everywhere means for security researchers like me. When a common framework is used, this is a single point of failure for tons of web applications. A security hole in the framework will expose a large number of servers at the same time. We have recently seen how a flaw in PHP ($GLOBALS) put PEAR.php at risk and with it everything that is build around it. When everyone is using the Zend Framework, this also means, that the bad guys have a single attack vector to concentrate their power on.


The good thing from an attacker's point of view is, that the whole security of the Zend Framework will most probably rely on the skills of Chris 'not really an international recognised expert in the field of PHP Security and no PHP core developer at all' Shiflett. As long Zend continues to rely on his services, no serious security researcher will join their team and so long there will be no real security in the Zend Framework.

Posted by Stefan Esser in Security, PHP at 12:40
Comments (16)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 Stefan Esser ()
If you only dare to comment as Anonymous Coward, from some anonymous place like an internet cafe, then please don't waste your energy, I will delete your comments.

The blog posting as usual contains of facts.
posted on Sunday, November 13. 2005
#2 Ivo Jansch wrote (Link) ()
> When a common framework is used, this is a single point of failure for
> tons of web applications. A security hole in the framework will
> expose a large number of servers at the same time.

This works both ways. It is also a single point to fix, and also a single point that gets a lot more review than hundreds of different lines of code spread throughout numerous applications.

In my opinion, a framework doesn't necessarily give you a single point that could potentially be a problem, but instead gives you a single point to devote your energy to, thus strengthening it more than stuff without such 'single points'.

P.S. why the flame about Chris? If you feel the need to publicly criticise someone, at least use arguments.
posted on Sunday, November 13. 2005
#2.1 Stefan Esser ()
Maybe you ask Mr. Shiflett why he let himself be interviewed as representant of the PHP core developers? He is no core developer. He only has an account to the PHP doc tree, where his last commit is about 3 years ago.

The same for security. He claims on his own page that he is an international recognised expert in the field of PHP security. When you read what he writes you will find among several errors nothing new. Everything can be found in talks of other persons.
posted on Sunday, November 13. 2005
#2.2 Stefan Esser ()
Oh and maybe you ask Mr. Shiflett why he has removed the link to http://www.hardened-php.net from phpsec.org the moment we offered auditing services. Simply because he does not want that anyone elses auditing service is used beside brainblub.
posted on Sunday, November 13. 2005
#2.2.1 David Rodger ()
I don't care that you take issue with Chris Shiflett on security matters. To rationally argue these matters furthers the debate helps us all.

I just don't understand why you have to be so fucking nasty about it (and him).
posted on Sunday, November 13. 2005
#3 Chris Shiflett wrote (Link) ()
Note: I'll reply to Stefan's personal attacks, but I don't intend to indulge him beyond this. I'm disappointed by his consistent lack of professionalism.

> Maybe you ask Mr. Shiflett why he let himself be interviewed as
> representant of the PHP core developers?

1. I've never represented myself as a core PHP developer. In fact, I challenge you to ever find anyone who uses the phrase "core PHP developer" or "PHP core developer" in association with my name.

2. There are many people who are not core PHP developers who contribute positively to the PHP community.

> He claims on his own page that he is an international recognised
> expert in the field of PHP security.

1. My biography was written for me.

2. I focus on helping people. It was never my intention to be well-known, and it is not my fault that you are not.

> When you read what he writes you will find among several errors
> nothing new. Everything can be found in talks of other persons.

1. If you really do know of errors, you should inform me rather than make unsubstantiated claims.

2. Many people who speak about PHP security borrow content from me with my permission. It's no coincidence that these talks have some of the same information.

> Oh and maybe you ask Mr. Shiflett why he has removed the link to
> http://www.hardened-php.net from phpsec.org the moment we offered
> auditing services.

1. Your project is linked from the front page and has been for several months.

2. We have never linked to your auditing services. I offered to do exactly that, but your unprofessional behavior shortly thereafter made me rethink my offer.

3. The PHPSC library is an open library of links to which any member can add (automatically). I don't plan to help someone whose primary interest seems to be self-promotion, but you don't have to convince me - any member of the PHPSC can add a link to your services.

If you can clean up your behavior, I'll pay attention to you. Until then, I have better things to do.
posted on Sunday, November 13. 2005
#3.1 Stefan Esser ()
> 1. I've never represented myself as a core PHP developer. In fact, I
> challenge you to ever find anyone who uses the phrase "core PHP
> developer" or "PHP core developer" in association with my name.

http://www.oetrends.com/news.php?action=view_record&idnum=483

"Chris Shiflett, a vocal PHP dev, author, advocate, has been invited by Zend to join the PHP Framework project, and to help represent the core developer interests and needs."

Do I smell the word "core developer" or don't I smell it...

> 2. I focus on helping people. It was never my intention to be
> well-known, and it is not my fault that you are not.

I invite you to enter your name and my name into f.e. google the results speak for themself. You are a bit megalomanic.

> 2. We have never linked to your auditing services. I offered to do
> exactly that, but your unprofessional behavior shortly thereafter
> made me rethink my offer.

You removed us from your library when we started offering services. You have us on your front page to make it look like our work has anything todo with your crappy consortium.

> 3. The PHPSC library is an open library of links to which any
> member can add (automatically). I don't plan to help someone
> whose primary interest seems to be self-promotion,
> but you don't have to convince me - any member of the
> PHPSC can add a link to your services.

This joke actually made my day. Calling me self-promoting. Out of your mouth... LOL...
posted on Monday, November 14. 2005
#3.1.1 Ben Ramsey wrote (Link) ()
> I invite you to enter your name and my name into f.e. google
> the results speak for themself. You are a bit megalomanic.

I just did this at Google, and I'm not sure how the fact that a search on "Chris Shiflett" that yields more search results than one on "Stefan Esser" shows that Chris has any megalomania. It just means there are more references to him on other Web pages.

I get 239,000 on "Chris Shiflett" and 150,000 on "Stefan Esser". Be sure you're putting quotation marks around your names or you'll be searching for every Stefan out there.
posted on Monday, November 14. 2005
#3.1.1.1 Stefan Esser ()
Ben,

If you look into f.e. Redhat Advisories you will see about 4 different ways to spell my name. Additionally I am often referred to as "Esser" because people know which one is meant.

So you have to search correctly...
posted on Monday, November 14. 2005
#3.1.2 Steve Hafner wrote (Link) ()
Stefan,

As someone new to this conflict, I've just read through both of your arguments, and I can honestly say that you just seem to be jealous of Chris' success.

I can't actually find evidence of Chris doing anything morally or professionally wrong, whereas, I can count atleast two places where you've taken cheap shots at him. In contrast, he's never done that (as far as I can see), and just that shows the difference in professionalism between the two of you.

If you have a problem with him, you should take it up with him directly rather than attacking him through your blog. From what I can tell, you seem to write such negative posts basically to draw attention towards yourself. If I were to guess your age without looking at your biography, I'd probably say you were around 16.
posted on Monday, November 14. 2005
#3.1.2.1 Stefan Esser ()
Steve,

I just want to point you to http://shiflett.org/archive/128
where Shiflett started the whole "war", after I disclosed holes in his PHP Security Guide. He claims in his posting that I have not tried to contact the PHP Security Consortium, which is a blatant lie. He also claims, that the bug in his example is my fault of understanding it. I cannot accept such lies to the public, to keep up his "security expert" image.

Just for the record. Mr. CS started a personal vendetta against me, because he cannot stand that I found bugs in his examples. And until he publicly apologizes for lieing, I will point out every little error of him in public.

(You must also take into account that the blog posting from shiflett was already changed drastically, because he got angry emails from the rest of the consortium for attacking me)
posted on Monday, November 14. 2005
#4 bucky wrote (Link) ()
ouch. owned.
posted on Sunday, November 13. 2005
#5 David ()
Stefan,
I really do wish you'd bury the hatchet. This seems like a d*ck measuring contest, and it really doesn't reflect well on you. Your efforts in the PHP security arena should speak for themselves, which is one of the reasons I've linked to you from our LAMP user group site.

I'm not trying to say that you shouldn't be frank on your own blog, but from an outsiders point of view, the animosity, no matter the history only detracts from the message. I don't blame you for trying to buld a business around your PHP security expertise, and by that same token, it seems somewhat petty to be attacking another person's attempt to do the same. PHP needs more authorites and named people, and in general needs its professional image and profile increased if it's ever going to be taken seriously outside the open source world.

Reducing this to the absurd, I could post nasty stuff on my blog pointing out that your blog doesn't work real well on IE6 (true) and claim that makes you an idiot. Clearly you're not, and neither is CS. I think he's done a good job explaining security issues with PHP, but also strikes me as someone coming from the practitioner point of view. You seem (although I don't mean to try and speak for you) to come from the security research end of the spectrum.

I think there's plenty of room for CS and SE and obviously other people in this arena, and respectfully, I'd suggest that your contributions will be appreciated more without the vitriole. Someone once told me that once you lose your temper in a discussion, noone can hear what you're saying -- and will remember only that you were angry. It would be a shame if that's what this devolves into. It's interesting to note that I have both your sites in my delicious list, and CS's site, has 80 people bookmarking it, while your blog has 6. If google is a measure of your digeratti cred, so is delicious. i'd submit that attacking other people in the PHP community is one way to raise your profile, but in the end, probably not one that's going to get you the respect you'd like, whether you are right or wrong.

Seems to me that would be a shame. Hardened PHP is such and interesting project, and very few people I've spoken to have ever heard of it. I come here to learn more about PHP security issues from an expert, as I assume most others do as well after all.
posted on Monday, November 14. 2005
#5.1 Gareth Heyes ()
I think Stefan and Chris are really best of pals and this is all a marketing exercise....

Seriously though I think the PHP industry needs personalities and Stefan definitely has a strong personality and views. If Chris had just accepted there was a flaw in his security guide and given full credit then I don't think there would have been a problem. Surely professionalism extends to fixing problems when they are reported to you.
posted on Monday, November 14. 2005
#6 enygma wrote (Link) ()
Is it just me or does the content of this post not really match the title? It seems to me that all of the comments made in it are negative, yet the word "don't" confuses me...
posted on Monday, November 14. 2005
#7 2djr ()
It seems like most comments for CS are coming from CS's buddies (like Ben Ramsey who blogged about his buddy's 'excellent' book) so I give people like Ben and enygma close to no attention.

Aside from the stupid Google based D1ck-length competition (since when does the number of links about you mean anything about quality?) I want to point one thing - SE actually HAS done core level work to enhance PHP's security. Hardened-PHP is an essential addition to the PHP interpreter. I use it in practically every project I do.

On the other hand, CS's book is at best a rehash of various little security related articles I've read since PHP4 came along. Not that it's wrong for CS to cobble this common knowledge into his book, but let's not act like he's done some huge contribution to PHP's security.
posted on Thursday, December 8. 2005

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

 
Calendar
Back July '09
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
Archives
July 2009
June 2009
May 2009
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP