We are on day 5 of the Month of PHP Bugs, meanwhile details for 11 Vulnerabilities were disclosed, including 2 Bonus vulnerabilities covering local root vulnerabilities in the Zend Platform.
The reaction has been quite positive so far. Emails we got were all positive and included a few emails by people who wanted to be part of the MOPB and sent us their 0-day PHP bugs. So far only one or two of the bugs sent in were on our list. Therefore we consider releasing them in the next weeks. Of course with full credit.
On the other hand there were some people in several forums (who of course are anonymous) that argued that this is all not as bad as it sounds and that you cannot take the vulnerabilities seriously. They argue that for example bug 1 and bug 4 would be the same bugs. Quite amusing, because they might exploit the same problem: lack of reference counter checks but are far from being the same bug. This is like considering all bufferoverflows to be the same bug, because they all exploit missing buffer boundary checks.
Other's were arguing that bug 9 cannot be counted because it only appears in the CVS version of PHP. This thinking seems to be quite typical in the PHP community. Complete disrespect for other people's work. Let's not forget that without these PHP CVS fixes that the Hardened-PHP Project did in the past, there would be atleast 3 more core remote vulnerabilities in PHP. With core remote vulnerabilities we mean remote vulnerabilities that are inside the PHP core and can be triggered regardless of the scripts installed.
Yeah and of course there is the fraction of people that continue to spread the propaganda that all this is only for publicity. Again a sign of complete disrespect for our work. These people obviously have not the slightest clue how much work it is and how many hours one has to spend to search for these vulnerabilities, write proof of concept code and report it to the vendor that in return claims security of his product is his achievement.
And for those who have missed the commit. The MOPB already "convinced" the PHP developers to add an array depth limit. A feature that Hardened-PHP/Suhosin has since 2004 and that was considered NOT WANTED by the PHP project. History repeats. One needs to make a lot of public noise about something and the PHP developers start to consider it, like my blog entry about the holes in allow_url_include that resulted in the usual attacks on the php internals mailinglist but convinced them to fix it finally. Of course now it is labeled as the achievement of the PHP developers...