PHP bug hunter silences his critics with security project

Month of PHP bugs nets 41 security flaws in source code; hunter satisfied

Howard Dahdah (ARN)
10 April, 2007 15:15
Comments

PHP bug hunter Stefan Esser says he feels vindicated after his successful Month of PHP Bugs project which ran through March.

The project, which aimed to highlight flaws in the PHP source code, uncovered 44 bugs, although Esser said the real number was 41, because three bugs were not in PHP code itself. These, he said, were a "bonus".

Esser copped a lot of flak ahead of, and during, his Month of PHP bugs project.

Many critics in blogsphere claimed the project was an act of revenge against the PHP community which Esser was once close to.

Esser, who was a founder of the PHP Security Response Team, left the group amid much acrimony in December 2006. He said his main bone of contention with the group lay in the righteous view its members had of the PHP source code, and what he believed was their protection of insecure code.

In light of his criticisms of the PHP source code, Esser went about organizing the MOPG, which he said was a "concentrated audit" of bugs. "I have been doing bug hunting in PHP for years now. Only this time I collected the bugs and released them in a more dramatic way than I usually do," he said.

"The outcome is that I proved that there is substance behind things I claim, which is quite uncommon in PHP security where most is just marketing talk," he said. "I have especially demonstrated that my claims that PHP developers reintroduce bugs or never fix them correctly or introduce new vulnerabilities with security fixes are valid."

Esser said he did not know if there will be a 'Return of the MOPB'.

"But yes, I will continue to uncover vulnerabilities in PHP and develop protections against those vulnerabilities," he said.

"I have been doing this for six years and I do not plan to stop. I still have more PHP vulnerabilities in my pocket."

Bookmark this page
Share this article
- facebook
- slashdot
- digg
- Reddit
- stumbleupon
- linkedin
- twitter
Got more on this story? Email Computerworld
Follow Computerworld on twitter

More about: ACT, HIS Limited

References show all

PHP Group accused of security incompetence

Comments

Post new comment

Share
Share this article
- google+
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
print
email
Bookmark

Related Whitepapers

Why Hackers have Turned to Malicious JavaScript Attacks

Website attacks have become a serious business proposition. In the past, hackers may have infected websites to gain notoriety or just to prove they could—but today, it’s all about the money. Reaching unsuspecting users through the web is easy and effective. Hackers now use sophisticated techniques—like injecting inline JavaScript—to spread malware through the web. Learn about the threat of malicious JavaScript attacks, and how they work. Understand how cybercriminals make money with these types of attacks and why IT managers should be vigilant.

Featured Download

Lavasoft Ad-Aware Free

Ad-Aware Free has long been one of the most popular spyware killers on the planet, and with good reason. It's simple to use, does an ...

Zones

Most Popular Whitepapers

Three simple steps to better patch security

It’s estimated that 90% of successful attacks against software vulnerabilities could be prevented with an existing patch or configuration setting. Yet patching is a persistent challenge for IT managers. With the glut of patches released each year, how do you know which ones are truly critical security patches and which ones aren’t? And how can you identify which computers are actually missing the patches they need? This paper details a simple approach to patching that gives you better visibility into and control over patch assessment and compliance.

Popular tags: Business Management, Security, Storage, Data Centre, Master Data Management

Latest Jobs

Market Place

PHP bug hunter silences his critics with security project

Comments

Post new comment

Customer service still dogs Telstra

iPhone 5 rumour rollup for the week ending February 10

Which tablet should I buy? iPad 2 vs Sony Tablet S

Customer service still dogs Telstra

Start-up spotlight: Smart Sparrow targets next-generation learning

Four crazy tech ideas from Google's Solve for X project

SA minister urges change to Facebook ban

Microsoft at a loss over Event Viewer scam

Exetel's John Linton passes away

TPG faces customer backlash over slowed net speeds

NBN Co wholesale pricing too high: Telstra

Why Hackers have Turned to Malicious JavaScript Attacks

Increasing Uptime and Efficiency with Switched PDUs - Two ways to use rack PDUs for more than just distributing power

Using Application Control to Reduce Risk with Endpoint Security

Forrester Research | Your Enterprise Database Security Strategy 2010

Lavasoft Ad-Aware Free

Application Lifecycle Management

HP Converged Storage Zone

EMC Next Generation Backup – Backup & Recovery Solutions

HP Business Efficiency - Money Payback Guarantee Resource Centre

The Australian Cloud

Three simple steps to better patch security

Top Ten Considerations when Deploying IT Operations Management in the Cloud

Enabling Agile and Intelligent Businesses

Managed Services Strategy Guide

Disaster Recovery Strategy Guide

Computerworld newsletter

Don't have an account?

PHP bug hunter silences his critics with security project

Comments

Post new comment

Computerworld newsletter