Federico Biancuzzi, 2007-02-05
Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache and PHP, the upcoming "Month of PHP bugs" initiative, and common mistakes in the design of well-known applications such as WordPress.
Colapse all |
Post comment
PHP Security From The Inside
2007-02-05
Anonymous (1 replies)
Anonymous (1 replies)
PHP Security From The Inside
2007-02-07
PHP Application Dev. (3 replies)
PHP Application Dev. (3 replies)
It's unfortunate that Stefan has decided to put at risk a large portion of websites on the Internet.
Following his falling-out/difference of opinions with PHP developers, this act seems more like going out in a blaze of sour grapes than any genuine interest in the security of PHP.
Since he is...
[ more ] [ reply ]
Following his falling-out/difference of opinions with PHP developers, this act seems more like going out in a blaze of sour grapes than any genuine interest in the security of PHP.
Since he is...
[ more ] [ reply ]
Re: PHP Security From The Inside
2007-02-15
Anonymous
Anonymous
> It's unfortunate that Stefan has decided to put at risk a large
> portion of websites on the Internet.
Actually its unfortunate that *PHP* has done this *and* mistreated someone who was/is trying to make it a viable option.
Plus this "large portion of websites" you refer to are to blame ...
[ more ] [ reply ]
> portion of websites on the Internet.
Actually its unfortunate that *PHP* has done this *and* mistreated someone who was/is trying to make it a viable option.
Plus this "large portion of websites" you refer to are to blame ...
[ more ] [ reply ]
Re: PHP Security From The Inside
2007-02-20
Don Hopkins
Don Hopkins
If it's slightly unfortunate what Stefan has done, that pales in comparison to how extremely unfortunate it is that PHP is so horribly riddled with bugs and security holes, and that the PHP team doesn't give a shit about fixing them.
Have some perspective! You're blaming the victim here. The caus...
[ more ] [ reply ]
Have some perspective! You're blaming the victim here. The caus...
[ more ] [ reply ]
Blame others, hype yourself
2007-02-08
Sebs (2 replies)
Sebs (2 replies)
To fully understand the "Esser Issue" one must read the threads on php-internals (avail via www) and then understands why the word traitor came up. Not a too bad description for that guy.
Pointing fingers is easy always; doesnt have any OS Project a kind of Esser ?
...
[ more ] [ reply ]
Pointing fingers is easy always; doesnt have any OS Project a kind of Esser ?
...
[ more ] [ reply ]
Re: Blame others, hype yourself
2007-02-08
Anonymous (1 replies)
Anonymous (1 replies)
Sebs is it a sign of jealousy that you leave comments wherever possible against "Esser"?
It must really eat at you that he was interviewed and not you.
Your behaviour fits perfectly into the image of a clueless PHP programmer....
[ more ] [ reply ]
It must really eat at you that he was interviewed and not you.
Your behaviour fits perfectly into the image of a clueless PHP programmer....
[ more ] [ reply ]
Re: Re: Blame others, hype yourself
2007-02-15
Anonymous (1 replies)
Anonymous (1 replies)
> Your behaviour fits perfectly into the image of a clueless PHP programmer.
LOL, soooo true...
[ more ] [ reply ]
LOL, soooo true...
[ more ] [ reply ]
Re: Re: Re: Blame others, hype yourself
2007-02-20
Don Hopkins
Don Hopkins
Totally agreed. This "Sebs" guy is an archetypal example of an ignorant PHP fan-boy who's doing more harm to PHP by trying to sweep its problems under the rug, by criticising somebody who's actually trying to do something about solving the problem. Thank you Sebs for stepping up to the plate and dem...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Blame others, hype yourself
2007-02-13
Anonymous
Anonymous
The difference is he try to do something in the team and he fails, cause there is no organisation about security drafts at the developer team. Wondering why?
And now he already do something by his one with his guardian project. So a bad boy leaves a good team?
Sometimes there is a need for po...
[ more ] [ reply ]
And now he already do something by his one with his guardian project. So a bad boy leaves a good team?
Sometimes there is a need for po...
[ more ] [ reply ]
This is highly irresponsible
2007-02-20
Paul Hickman (2 replies)
Paul Hickman (2 replies)
Openly disclosing bugs that the developers are not fixing after private disclosure is acceptable, but purposefully disclosing them on a daily basis rather than all in one go is highly irresponsible and purely an attention grabbing stunt - it prevents the developers from releasing an effective patch ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: This is highly irresponsible
2007-02-20
Mark Zein
Mark Zein
Are you aware that security bugs disclosed to the PHP developers are usually fixed and then wait in the CVS for several months until they make it into a bugfix release (that most probably breaks tons of sites like PHP 5.2.1 successfully demonstrated)?
Are you really that ignorant to believe that ...
[ more ] [ reply ]
Are you really that ignorant to believe that ...
[ more ] [ reply ]
Re: This is highly irresponsible
2007-02-20
John Carmichael (1 replies)
John Carmichael (1 replies)
First off, bug reports don't fuel script kiddies, POC code does. By definition a script kiddie isn't going to have the requisite skills to do anything with a bug report. Plus let's not pretend that they don't have access to a huge list of unpatched bugs already from security mailing lists.
Stef...
[ more ] [ reply ]
Stef...
[ more ] [ reply ]
Re: Re: This is highly irresponsible
2007-02-21
Anonymous (1 replies)
Anonymous (1 replies)
[ more ] [ reply ]