The Future of PHP Security
December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired.He has stated a few reasons for this latest move, primarily focusing on(in his opinion) the lack of response from his fellow colleagues and anextended delay in the patching of known vulnerabilities. Possiblyanother example of how some individuals or groups may choose to view “responsible disclosure.”
Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input Validation Vulnerabilities ), 20349 (PHP ZendEngine ECalloc Integer Overflow Vulnerability), or 11964(PHP Multiple Local And Remote Vulnerabilities), to name a few.Attackers can leverage most of these issues to execute arbitrarymachine code on the vulnerable computer. This can mean a remotecompromise in the context of the Web server process.
With the recent loss – or more correctly, changing of venue – ofStefan Esser, what does the future hold for PHP security? In myopinion, the initial ramifications of this change will not likely befelt until early 2007. The first vulnerabilities reported may challengewhat's left of the PHP Security Response team as they scramble torelease updates to address the issues. But, in the long run, I feelthis may light a fire under their collective “keyboards” to addressissues in a more timely fashion. Hopefully, users won't suffer fromextended delays in the patching of known issues – at least not for verylong.