December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired. He has stated a few reasons for this latest move, primarily focusing on (in his opinion) the lack of response from his fellow colleagues and an extended delay in the patching of known vulnerabilities. Possibly another example of how some individuals or groups may choose to view “responsible disclosure.”
Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input Validation Vulnerabilities ), 20349 (PHP ZendEngine ECalloc Integer Overflow Vulnerability), or 11964 (PHP Multiple Local And Remote Vulnerabilities), to name a few. Attackers can leverage most of these issues to execute arbitrary machine code on the vulnerable computer. This can mean a remote compromise in the context of the Web server process.
With the recent loss – or more correctly, changing of venue – of Stefan Esser, what does the future hold for PHP security? In my opinion, the initial ramifications of this change will not likely be felt until early 2007. The first vulnerabilities reported may challenge what's left of the PHP Security Response team as they scramble to release updates to address the issues. But, in the long run, I feel this may light a fire under their collective “keyboards” to address issues in a more timely fashion. Hopefully, users won't suffer from extended delays in the patching of known issues – at least not for very long.