Month of PHP Bugs gets going
The month of March shall be the Month of PHP Bugs (MOPB). As has been the case with the previous projects MOBB, MOKB and the MOAB, projects that have caused much excitement, numerous security holes will be disclosed. As opposed to the other three projects, the Hardened-PHP Project, which has initiated the MOPB project, including members such as the security expert Stefan Esser, will not publish just one vulnerability per day. Also, the MOPB only deals with security vulnerabilities in one single product: the PHP core and the language itself. PHP applications are not a target of this initiative, since, as is stated on the FAQ page, problems with PHP applications are already addressed by other sites such as Full Disclosure or Bugtraq.
The project is an effort to improve the security of PHP and should not been regarded as an attempt to attack PHP developers or to take revenge on the disputes within the PHP Security Response Team. At the end of last year, Esser had left the PHP security team, and Zeev Suraski, CTO of Zend, had expressed worries that the MOPB would do harm to rather than benefit the PHP project.
The design of the MOPB site resembles the MOAB site, for reasons of clarity, according to the MOPB FAQs. On the first day of the MOPB a vulnerability in PHP version 4 has been disclosed, a PHP version that is still widely used. Because the variable reference counter is only 16 bits wide, a PHP application may cause an overflow. According to the security advisory, this makes it possible for an attacker to delete variables, create his own variables and write his own code into the same memory to execute it within the executing application, for instance, a Web server. However, an attacker must have at least restricted access to the respective system. While Esser has provided a demo of this vulnerability, the respective link has not yet been activated.
The MOPB team does not expect PHP developers to fix this hole, since this may create problems for third-party vendors who provide closed-source PHP extensions. As a workaround, the advisory suggests manually to change the size of the reference counter to 32 bits and to recompile all other PHP extensions; however, this is not possible with closed-source products.
- the Month of PHP Bugs, project page