Simson Garfinkel's blog
PHP Insecurity
A widely used Web development framework is said to be riddled with security holes.
Simson Garfinkel 02/23/2007
- 4 Comments
PHP is a Web development framework that's at the heart of some of the most important Web applications today. PHP powers Wikipedia. PHP runs websites at National Public Radio, Sourceforge, and the state of Rhode Island, to name a few. Indeed, every time you see a URL that ends ".php," that's a sign that PHP is helping deliver you your Web pages.
So given the current state of computer software, it should be expected that the PHP run-time system has some bugs in it, and that some of these bugs are security bugs. All software has bugs in it, after all.
But PHP has more than a few security bugs: in many ways PHP is fundamentally flawed. The program, whose initials originally stood for Personal Home Page, was designed without much thought given to security. Many of the PHP features that make it really easy to write a Web application also make it really difficult to write one that's secure.
All of this matters just now because Stefan Esser, the founder of the Hardened-PHP Project and the PHP Security Response Team (which he recently quit), has threatened to make March the "month of PHP bugs." By that, Esser means that he is going to be releasing a series of security bugs in March that show the world just how unsecure PHP actually is.
What's driving Esser is both a desire to make PHP more secure and a good touch of anger and resentment at the current PHP developers who have taken many of his security patches and incorporated them into the program without giving Esser any credit. You can read more about his motivations in his blog entry and in the interview that he did with Security Focus.
How will this affect users of the Web? Well, a recent "Month of Bugs" project aimed at Apple identified a number of security problems that the company was apparently unaware of, but it didn't result in any serious worms or threats to Apple users. This month of PHP bugs might be a similar bust. On the other hand, Apple was able to push out a fix to these problems using the Mac OS Software Update feature. PHP has no such feature, and many ISPs run kind of elderly (and buggy) versions of the program.
Personally, I'm troubled by PHP. It's not a well-designed language, it's overly complex, and it's extraordinarily pervasive. Still, it would be nice if the bugs could be fixed without exposing so many systems to attack.
So given the current state of computer software, it should be expected that the PHP run-time system has some bugs in it, and that some of these bugs are security bugs. All software has bugs in it, after all.
But PHP has more than a few security bugs: in many ways PHP is fundamentally flawed. The program, whose initials originally stood for Personal Home Page, was designed without much thought given to security. Many of the PHP features that make it really easy to write a Web application also make it really difficult to write one that's secure.
All of this matters just now because Stefan Esser, the founder of the Hardened-PHP Project and the PHP Security Response Team (which he recently quit), has threatened to make March the "month of PHP bugs." By that, Esser means that he is going to be releasing a series of security bugs in March that show the world just how unsecure PHP actually is.
What's driving Esser is both a desire to make PHP more secure and a good touch of anger and resentment at the current PHP developers who have taken many of his security patches and incorporated them into the program without giving Esser any credit. You can read more about his motivations in his blog entry and in the interview that he did with Security Focus.
How will this affect users of the Web? Well, a recent "Month of Bugs" project aimed at Apple identified a number of security problems that the company was apparently unaware of, but it didn't result in any serious worms or threats to Apple users. This month of PHP bugs might be a similar bust. On the other hand, Apple was able to push out a fix to these problems using the Mac OS Software Update feature. PHP has no such feature, and many ISPs run kind of elderly (and buggy) versions of the program.
Personally, I'm troubled by PHP. It's not a well-designed language, it's overly complex, and it's extraordinarily pervasive. Still, it would be nice if the bugs could be fixed without exposing so many systems to attack.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
Buckwheat469
34 Comments
Don't bypass PHP because of this article.
PHP may have originally been developed as a Personal Home Page processor, but it has evolved its way from a scripting solution to an Object-based solution. This evolution takes time for an open-source software system and can be sketchy in some parts, but the software is gaining power in the online community.
The key is that this software is open source and has a small team of dedicated members to develop it, compared to an organization like Microsoft, Apple, and Java (Sun), where there have been defined methods of planning before implementation. PHP is different because many of these developers are self-taught and some may not have the formal education in software engineering that Microsoft hires from. Granted these people are brilliant, but they are working with what was given to them.
Yes. PHP has security holes that can be exploited, but PHP also has installation and configuration instructions that should be followed to reduce these exploitable areas. Then, people have also published ways that developers can improve their code to reduce the amount of webpage-based exploits like inserting PHP code into a form element.
For small websites and apps, non-profit organizations, and small to medium businesses, PHP is a godsend because it's free and easy to use, but for companies that are making millions of dollars on their websites, you would hope that they could afford a more secure solution. If they don't invest in security then that company should not be invested in at all.
Reply