Security guru Stefan Esser launched the Month of PHP Bugs (MoPB) on Thursday, promising to release at least one bug every day for the month of March.
The initiative, first reported by SecurityFocus, comes after a falling out between the founder of the Hardened PHP group and the core PHP Project's security team. Esser stressed that the MoPB is not motivated by any ill will for the project.
"You should consider the Month of PHP Bugs a result report for just another audit we did on PHP," Esser stated on the site. "Unfortunately when you disclose security problems in someone else's code or in their bug handling process the developers often feel hurt or attacked."
PHP is an acronym for a popular Web programming language that originally stood for Personal Home Page tools when it was a small project created by Rasmus Lerdorf in 1994. Two Israeli developers, Zeev Suraski and Andi Gutmans, rewrote the language parser in 1997 and changed the name to PHP: Hypertext Preprocessor, adopting the recursive naming convention historically used by some Unix programs. The language is now used by Web sites hosted on nearly 20 million domains and 1.3 million IP addresses, according to data collected by Internet monitoring service Netcraft for its October 2006 survey.
The language has come under scrutiny when Esser, a longtime developer, left the PHP Group's internal security team in December, criticizing its members for not responding quickly to security issues. Members of the PHP Group fired back at Esser, stating his reasons for leaving were less about security and more about not working together with the team. Flaws in PHP applications accounted for more than 40 percent of the vulnerabilities reported in 2006, SecurityFocus as found.
Esser released three flaws on March 1 to kick off the project.
Posted by: Robert Lemos