MOPB: First Reactions

Monday, March 5. 2007

Monday, March 5. 2007



We are on day 5 of the Month of PHP Bugs, meanwhile details for 11 Vulnerabilities were disclosed, including 2 Bonus vulnerabilities covering local root vulnerabilities in the Zend Platform.


The reaction has been quite positive so far. Emails we got were all positive and included a few emails by people who wanted to be part of the MOPB and sent us their 0-day PHP bugs. So far only one or two of the bugs sent in were on our list. Therefore we consider releasing them in the next weeks. Of course with full credit.


On the other hand there were some people in several forums (who of course are anonymous) that argued that this is all not as bad as it sounds and that you cannot take the vulnerabilities seriously. They argue that for example bug 1 and bug 4 would be the same bugs. Quite amusing, because they might exploit the same problem: lack of reference counter checks but are far from being the same bug. This is like considering all bufferoverflows to be the same bug, because they all exploit missing buffer boundary checks.


Other's were arguing that bug 9 cannot be counted because it only appears in the CVS version of PHP. This thinking seems to be quite typical in the PHP community. Complete disrespect for other people's work. Let's not forget that without these PHP CVS fixes that the Hardened-PHP Project did in the past, there would be atleast 3 more core remote vulnerabilities in PHP. With core remote vulnerabilities we mean remote vulnerabilities that are inside the PHP core and can be triggered regardless of the scripts installed.


Yeah and of course there is the fraction of people that continue to spread the propaganda that all this is only for publicity. Again a sign of complete disrespect for our work. These people obviously have not the slightest clue how much work it is and how many hours one has to spend to search for these vulnerabilities, write proof of concept code and report it to the vendor that in return claims security of his product is his achievement.


And for those who have missed the commit. The MOPB already "convinced" the PHP developers to add an array depth limit. A feature that Hardened-PHP/Suhosin has since 2004 and that was considered NOT WANTED by the PHP project. History repeats. One needs to make a lot of public noise about something and the PHP developers start to consider it, like my blog entry about the holes in allow_url_include that resulted in the usual attacks on the php internals mailinglist but convinced them to fix it finally. Of course now it is labeled as the achievement of the PHP developers...


Posted by Stefan Esser in Security, PHP at 11:02
Comments (10)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 Gareth Heyes wrote (Link) ()
Hey Stefan

Glad to see the month of php bugs, I think the "month of *" are a great success in highlighting problems in widespread software and result in making them more secure for the community. Keep up the good work!

Cheers

Gareth
posted on Monday, March 5. 2007
#2 Christian Matthies wrote (Link) ()
Yeah and I hope that fixed bugs will be the final result of all this. I mean, whats the point of arguing about whether or not the Hardened PHP Project wants to promote their project and all those stupid discussions?

Honestly, people seem to forget what this is for. Stop blaming Stefan and stop wasting time - start working on these issues!
posted on Monday, March 5. 2007
#3 Richard Davey wrote (Link) ()
Keep up the good work, and don't let the tiny-minded people knock down the amazing amount of work you are doing for the benefit of PHP as a whole. Work they probably don't have the skills to even comprehend, let alone do themselves.
posted on Monday, March 5. 2007
#4 Pádraic Brady wrote (Link) ()
I've seen some of the FUD, and it never seems to note any fault with the bug reports ;-). I guess some people just enjoy a bit of righteous arguing rather than judge based on the merits of the reports. Since PHP in general has so little publicity of its security flaws (not like the bug tracker or mailing lists are often quoted to the average developer) I think this month will help increase awareness and knowledge that such things do exist and certainly need fixing. In that respect, I wish it every success. It's gotten people talking, and hopefully applied a little pressure in the right corners :-).
posted on Monday, March 5. 2007
#5 Spider ()
First of all, thank you for all of your work. It does take a lot of time, effort, and determination to hunt down the subtle bugs you've found. You are doing a great benefit for anyone that has anything to do with php (Ie developers who use the language all the way down to the users of the actual applications ).

Having said that, it is also equally true that you need to tone down your 'tude a bit. I understand php hasn't shown you love for your work and has taken credit for most of it, but you have to rise above it. You deserve credit, but that shouldn't be your primary reason for doing this. Do it because it needs to be done, and without your effort it wouldn't be done. You don't have to make such a deal about not getting credit and assigning credit to yourself. It makes you look petty.
posted on Monday, March 5. 2007
#6 Mitch Smits ()
I think this is awesome. I'm learning all kinds of low level stuff about php as well as how it works. If people don't appreciate what your doing they can go jump off a cliff. Its ignorance if they don't appreciate your trying to make their code more secure. I see each day as a new "Gift" waiting to be unwrapped, played with and savored.
posted on Monday, March 5. 2007
#7 Magoo ()
This may be the exploit you referenced, but I just noticed that the writer of this mentions the MOPB.

http://www.milw0rm.com/exploits/3417
posted on Tuesday, March 6. 2007
#8 Rick ()
Great work, but....

please please please pretty please with suger on top, ditch the adversarial tone towards the PHP developers. If you believe there is a need to publicly confront/pressure them, please seperate that from the rest of the great work.

Right now, almost every second sentence on this site seem to be full of rancor. Whether it's justified or not, it distracts from the message and turns people off who would otherwise very much appreciated the work and could help to put pressure on Zend and the PHP Project to take security issues more seriously.

You want to tell the world how pissed off you are? Put it on a seperate personal blog, don't mix it with the work. Otherwise this whole thing will continue to look more like a geek-fight then a security audit.
posted on Tuesday, March 6. 2007
#8.1 Stefan Esser wrote (Link) ()
Rick,

of course you will only read the "esser is evil" side when talking with Zend etc...

However fact is that every harsh word from my side is just the response to a lot of harsh words from the other side.

The PHP developers only want to look like the victims while they are the ones that shoot first.
posted on Tuesday, March 6. 2007
#8.1.1 plenque ()
Nevertheless, I also think Rick has a point there.

The facts given in this page could only make PHP a better language. That for itself should give you the merit you deserve.

If you could take that personal stuff he mentions from the message, it would be even easier to understand everything. I mean, whenever I read personal stuff I start to think about "people" problems, and the great great stuff here is mostly technical. Basically we're asking you to stop returning the harsh words (I'm not taking sides... I'm assuming those harsh words exist because you mentioned them).

Anyway, thank you very much for your efforts.
posted on Tuesday, March 6. 2007

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

Submitted comments will be subject to moderation before being displayed.
 
Calendar
Back July '09
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
Archives
July 2009
June 2009
May 2009
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP