Home > Event, Exploit, InfoSec, SuperMondays, Web App Security > Month of PHP bugs 2010

Month of PHP bugs 2010

2010/02/28

Following in the now well-established form of a ‘Month of X Bugs’ php-security.org has just opened it’s call for papers for a second month, to update and expand on it’s successful run month in 2007.

I’ll admit that I largely ignored the original Month of PHP Bugs (MOPB), at the time I had just made the decision to stop coding in PHP and try a more mature language. I had found PHP to be a very simple language to learn and code it, but as a result I also found it very simple to code very badly in as well. (and I’ve since found that a bad coder can code badly in any language, hence why I gave up the career path of developer).

However, this month’s SuperMondays event changed my perspective slightly. Lorna Jane gave a great presentation on using PHP to provide a web services architecture, at first glance looks like PHP has improved and matured significantly since I last used it. For those interested Lorna’s talk was recorded and is available here, and Lorna’s own take on the event can be found here.

So while I’m not in a position to contribute to the month’s releases, I will be paying closer attention to the resources released this time around. If you think you can contribute the organizers have posted a list of accepted topics:

Accepted Topics/Articles

  • New vulnerability in PHP [1] (not simple safe_mode, open_basedir bypass vulnerabilities)
  • New vulnerability in PHP related software [1] (popular 3rd party PHP extensions/patches)
  • Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords)
  • Explain a complicated vulnerability in/attack against a PHP widespread application [1]
  • Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP’s heap implementation)
  • Explain how to attack encrypted PHP applications
  • Release of a new open source PHP security tool
  • Other topics related to PHP or PHP application security

[1] Articles about new vulnerabilities should mention possible fixes or mitigations.

And prizes are available for the best submissions:

# Prize
1. 1000 EUR + Syscan Ticket + CodeScan PHP License
2. 750 EUR + Syscan Ticket
3. 500 EUR + Syscan Ticket
4. 250 EUR + Syscan Ticket
5.-6. CodeScan PHP License
7.-16. Amazon Coupon of 65 USD/50 EUR

So what are you waiting for? Get contributing…

–Andrew Waite

Advertisements
  1. 2010/03/01 at 15:10

    Thanks for the mention and for the call to action, I hope there will be many contributions to the month of security initiative!

  1. 2010/04/17 at 16:20
Comments are closed.
%d bloggers like this: