Month of PHP Security
Information about more than 20 vulnerabilities has been disclosed as part of the "Month of PHP Security" (MOPS) held this May. Eight of the holes are contained in PHP applications, while 12 affect PHP itself. Four articles about PHP security have also been published.
MOPS, which was initiated by PHP security specialist Stefan Esser and is related to the "Month of PHP Bugs" (MOPB) Esser launched in 2007, will offer new information about PHP on a daily basis throughout the month of May. Unlike MOPB, MOPS also offers information provided by the PHP developer community.
The main issues disclosed so far are a code injection hole in Xinha, a WYSIWYG editor that is also part of the Serendipity CMS, and SQL injection holes in the DeluxeBB forum software and in the ClanSphere CMS.
In PHP itself, various functions contain vulnerabilities that, for instance, allow intruders to spy out information or, through uninitialised memory access, execute code. Official patches have so far only been released for some of the applications, rather than for PHP itself. However, the descriptions of the individual vulnerabilities contain information about possible fixes.
- Call for papers for Month of PHP Security, a report from The H.
- Month of PHP Bugs: 18 holes that need patching, a report from The H.