Technology Review - Published By MIT
Technology Review  in English | en Español | auf Deutsch | in Italiano | 中文 | in India
Advertisement

Simson Garfinkel's blog

A commonsense take on computer security, usability and why IT does matter.

View Complete Bio

Blog Topics

Top Stories Of The Day

Advertisement
Friday, February 23, 2007

PHP Insecurity

A widely used Web development framework is said to be riddled with security holes.
PHP is a Web development framework that's at the heart of some of the most important Web applications today. PHP powers Wikipedia. PHP runs websites at National Public Radio, Sourceforge, and the state of Rhode Island, to name a few. Indeed, every time you see a URL that ends ".php," that's a sign that PHP is helping deliver you your Web pages.

So given the current state of computer software, it should be expected that the PHP run-time system has some bugs in it, and that some of these bugs are security bugs. All software has bugs in it, after all.

But PHP has more than a few security bugs: in many ways PHP is fundamentally flawed. The program, whose initials originally stood for Personal Home Page, was designed without much thought given to security. Many of the PHP features that make it really easy to write a Web application also make it really difficult to write one that's secure.

All of this matters just now because Stefan Esser, the founder of the Hardened-PHP Project and the PHP Security Response Team (which he recently quit), has threatened to make March the "month of PHP bugs." By that, Esser means that he is going to be releasing a series of security bugs in March that show the world just how unsecure PHP actually is.

What's driving Esser is both a desire to make PHP more secure and a good touch of anger and resentment at the current PHP developers who have taken many of his security patches and incorporated them into the program without giving Esser any credit. You can read more about his motivations in his blog entry and in the interview that he did with Security Focus.

How will this affect users of the Web? Well, a recent "Month of Bugs" project aimed at Apple identified a number of security problems that the company was apparently unaware of, but it didn't result in any serious worms or threats to Apple users. This month of PHP bugs might be a similar bust. On the other hand, Apple was able to push out a fix to these problems using the Mac OS Software Update feature. PHP has no such feature, and many ISPs run kind of elderly (and buggy) versions of the program.

Personally, I'm troubled by PHP. It's not a well-designed language, it's overly complex, and it's extraordinarily pervasive. Still, it would be nice if the bugs could be fixed without exposing so many systems to attack.

Tags: security, software

Comments
  • Don't bypass PHP because of this article.
    PHP may have originally been developed as a Personal   Home Page processor, but it has evolved its way from a scripting solution to an Object-based solution. This evolution takes time for an open-source software system and can be sketchy in some parts, but the software is gaining power in the online community.

    The key is that this software is open source and has a small team of dedicated members to develop it, compared to an organization like Microsoft, Apple, and Java (Sun), where there have been defined methods of planning before implementation. PHP is different because many of these developers are self-taught and some may not have the formal education in software engineering that Microsoft hires from. Granted these people are brilliant, but they are working with what was given to them.

    Yes. PHP has security holes that can be exploited, but PHP also has installation and configuration instructions that should be followed to reduce these exploitable areas. Then, people have also published ways that developers can improve their code to reduce the amount of webpage-based exploits like inserting PHP code into a form element.

    For small websites and apps, non-profit organizations, and small to medium businesses, PHP is a godsend because it's free and easy to use, but for companies that are making millions of dollars on their websites, you would hope that they could afford a more secure solution. If they don't invest in security then that company should not be invested in at all.
    Rate this comment: 12345

    Buckwheat469
    02/23/2007
    Posts:34
    Avg Rating:
    4/5
  • Overly complex language?  About typical of this article's quality
    PHP - overly complex?  The reason that it runs on approximately 25 million sites is that it is exceedingly simple.  I saw an estimate from a consulting firm that demonstrated a 4-to-1 reduction in lines of code (Java to PHP).  As an old C/assembler hack, I appreciate PHP's incredible simplicity.

    Regarding Month of Bugs... if you've read the SecurityFocus article about the Month of PHP Bugs, there appears to be a wide range of bugs which the developer intends to expose.

    Some, in fact, are local - meaning you must already have access to the box.

    It's questionable whether any of these will amount to much more than the month of browser bugs, etc.
    Rate this comment: 12345

    DougRoss
    02/24/2007
    Posts:1
  • You have no idea what you're talking about
    I looked at the first line, and I immediately thought "Oh God, not another idiot who's writing about something he only read a Wiki article for". Where the hell did you see that PHP is a framework? PHP (PHP HypertText Preprocessor) is a complete language all on its own. In fact, you don't mention that it is a programming language until the very last paragraph. CakePHP, Code Igniter, and Symfony are all frameworks for using PHP. Wait, do you have any idea what a framework is?

    You even call PHP a program...that's like dismissing C as a program. Maybe the interpreter is an executable, but PHP itself is as abstract a concept as the languages people speak.

    And then there's this line: "Still, it would be nice if the bugs could be fixed without exposing so many systems to attack." Uhm, wait, wouldn't fixing bugs make systems less vulnerable to attacks.

    In conclusion, I would like to ask a qustion, what's the difference between 'print' and 'echo' in PHP?
    Rate this comment: 12345

    Scriptor
    02/24/2007
    Posts:1
  • Often the bugs are in applications, not the framework
    PHP is, by all measures, not a secure "platform".   But, comparing security based on frameworks alone is misleading.  I can point to J2EE or ASP.NET applications which are insecure, not because of the underlying framework but due to bad engineering.  

    My point is that it is more often the application code developed atop a framework than it is the framework itself.  This isn't to say that an insecure framework is not a problem, I tend to think that PHP is insecure not because of the underlying technology but because PHP tends to encourage a approach to architecture that many would characterize as ad-hoc.

    One can create a "secure" PHP application just as one can create a secure Rails application or ASP.NET or J2EE application, it is more a question of people than technology.
    Rate this comment: 12345

    tmo9d
    02/25/2007
    Posts:1
Reply
Advertisement

« Previous Post

Next Post »

Computing
Web
Communications
Energy
Materials
Biomedicine
Business
Today's Stories

Log In

Forgot your password?     Register »

RSS

Subscribe to the Simson Garfinkel's blog RSS Feed
Advertisement
Technology Review November/December 2009

Current Issue

Natural Gas Changes the Energy Map
The United States has vast supplies of this cleaner fossil fuel. But how should we use it?
•  Subscribe
Save 36%
•  Table of Contents
•  MIT News
» Gift Subscription
» Digital Subscription
» Reprints, Back Issues 		» Subscribe
» Table of Contents
» MIT News

More Technology News from Forbes
Advertisement
MIT Massachusetts Institute of Technology © 2009 Technology Review. All Rights Reserved.