Following in the now well-established form of a ‘Month of X Bugs’ php-security.org has just opened it’s call for papers for a second month, to update and expand on it’s successful run month in 2007.
I’ll admit that I largely ignored the original Month of PHP Bugs (MOPB), at the time I had just made the decision to stop coding in PHP and try a more mature language. I had found PHP to be a very simple language to learn and code it, but as a result I also found it very simple to code very badly in as well. (and I’ve since found that a bad coder can code badly in any language, hence why I gave up the career path of developer).
However, this month’s SuperMondays event changed my perspective slightly. Lorna Jane gave a great presentation on using PHP to provide a web services architecture, at first glance looks like PHP has improved and matured significantly since I last used it. For those interested Lorna’s talk was recorded and is available here, and Lorna’s own take on the event can be found here.
So while I’m not in a position to contribute to the month’s releases, I will be paying closer attention to the resources released this time around. If you think you can contribute the organizers have posted a list of accepted topics:
Accepted Topics/Articles
- New vulnerability in PHP [1] (not simple safe_mode, open_basedir bypass vulnerabilities)
- New vulnerability in PHP related software [1] (popular 3rd party PHP extensions/patches)
- Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords)
- Explain a complicated vulnerability in/attack against a PHP widespread application [1]
- Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP’s heap implementation)
- Explain how to attack encrypted PHP applications
- Release of a new open source PHP security tool
- Other topics related to PHP or PHP application security
[1] Articles about new vulnerabilities should mention possible fixes or mitigations.
And prizes are available for the best submissions:
| # | Prize |
|---|---|
| 1. | 1000 EUR + Syscan Ticket + CodeScan PHP License |
| 2. | 750 EUR + Syscan Ticket |
| 3. | 500 EUR + Syscan Ticket |
| 4. | 250 EUR + Syscan Ticket |
| 5.-6. | CodeScan PHP License |
| 7.-16. | Amazon Coupon of 65 USD/50 EUR |
So what are you waiting for? Get contributing…
–Andrew Waite
Thanks for the mention and for the call to action, I hope there will be many contributions to the month of security initiative!