Following in the now well-established form of a ‘Month of X Bugs’ php-security.org has just opened it’s call for papers for a second month, to update and expand on it’s successful run month in 2007.
I’ll admit that I largely ignored the original Month of PHP Bugs (MOPB), at the time I had just made the decision to stop coding in PHP and try a more mature language. I had found PHP to be a very simple language to learn and code it, but as a result I also found it very simple to code very badly in as well. (and I’ve since found that a bad coder can code badly in any language, hence why I gave up the career path of developer).
However, this month’s SuperMondays event changed my perspective slightly. Lorna Jane gave a great presentation on using PHP to provide a web services architecture, at first glance looks like PHP has improved and matured significantly since I last used it. For those interested Lorna’s talk was recorded and is available here, and Lorna’s own take on the event can be found here.
So while I’m not in a position to contribute to the month’s releases, I will be paying closer attention to the resources released this time around. If you think you can contribute the organizers have posted a list of accepted topics:
- New vulnerability in PHP  (not simple safe_mode, open_basedir bypass vulnerabilities)
- New vulnerability in PHP related software  (popular 3rd party PHP extensions/patches)
- Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords)
- Explain a complicated vulnerability in/attack against a PHP widespread application 
- Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP’s heap implementation)
- Explain how to attack encrypted PHP applications
- Release of a new open source PHP security tool
- Other topics related to PHP or PHP application security
 Articles about new vulnerabilities should mention possible fixes or mitigations.
And prizes are available for the best submissions:
|1.||1000 EUR + Syscan Ticket + CodeScan PHP License|
|2.||750 EUR + Syscan Ticket|
|3.||500 EUR + Syscan Ticket|
|4.||250 EUR + Syscan Ticket|
|5.-6.||CodeScan PHP License|
|7.-16.||Amazon Coupon of 65 USD/50 EUR|
So what are you waiting for? Get contributing…