PHP == “mainstream” security issue

10 Apr 2007

After reading Bill O’Reilly’s Radar that PHP has now entered the mainstream as shown by evidence of the increased sale of beginner PHP books, I can only say that I am frightened.

Coming from the security and vulnerability space, PHP is the worst offender of security. PHP is easy to use, but hard to use securely. Stefan Esser’s Hardened PHP project goes to show how much more improving PHP needs. Giving the PHP development some credit, they have starting taking some steps to improving security, like finally disabling the register_globals and allow_url_fopen options by default. However, this is too little too late.

You can tell a language is a threat, when the vulnerability researchers have to come up with new classes of vulnerabilities just to describe the language’s security deficiencies — PHP Remote File Inclusion and Dynamic Variable Evaluation come to mind. Let’s see, how many hundred (thousands?) of websites have been compromised due to PHP’s mainstream exposure and “ease-of-use”. All of that in addition to the increased XSS threat from global variables and multiple problems with CSRF and session handling.

Even the PHP language (and Zend Engine) has had its share of critical issues: CVE-2006-3017 and CVE-2006-5465. According to NVD’s CVE data, in 2006 and 2007, PHP has had 90 reported vulnerabilities (quite a few of which were from Esser’s recent Month of PHP Bugs (MoPB)). [Sorry, I can't find a way to link to the NVD search results.]

At least people other than O’Reilly can profit off of PHP’s mainstream recognition.