Interview with Stefan Esser

In your opinion which is the main problem in PHP security?

This question is really hard to answer. I personally see a lot of problems in the PHP language itself, in the PHP interpreter and in the PHP development process. However the most annoying thing is that the PHP developers always blame the PHP programmers for their bad code but never accept that they have created the functionality (ropes) these people hang themself with. Another very annoying thing is that right now a lot of PHP programmers believe they can perform security audits just because they know about input filtering and output escaping. This is atleast the message PHP.NET and other groups give. Unfortunately security is not that easy.

The PHP Team is pushing for the use of PHP 5, letting go version 4: what does it involve for the security concern?

Well on one hand it is good for security, because contrary to claims PHP 4 does not get regular security updates. For example they still have not fixed the reference counter issues reported during the MOPB. Some distributions like OpenSuSE had to develop their own patches for these vulnerabilities. So the switch to PHP 5 is good because PHP 4 isn’t supported fully anymore anyway. For server administrators on the other hand the problem is that PHP 5 comes with new features that are maybe not centrally documented and can result in security problems. For example it is now possible to listen on sockets and connect to ports from within the PHP core. This is something that makes running untrusted PHP code a headache.

Additionally there are now a number of builtin classes that administrators might not know about and while they might forbid some functions they might not know that the same functionality can be reached through the builtin classes. Additionally you cannot simply use PHP 4 code in PHP 5 without a security audit. Some functionality like the deprecated magic_quotes_gpc was changed from PHP 4 to PHP 5 so that code that is perfectly secure in PHP 4 is suddenly open to attacks in PHP 5. However the positive thing is that some of the new functionality (if it is used) like prepared statements will make it harder to write code that is vulnerable to SQL injection and the option allow_url_include will make it harder to exploit include statements.

Which is, concerning security, the best CMS between Drupal, Joomla and WordPress?

I must say that I don’t know the code of Joomla. However I consider Drupal more secure than WordPress.

Do you know any other CMS as secure as those above?

At the moment Hardened-PHP uses a heavily modified Papaya CMS. However the reason for this is that I know the author personally. But I am really not the right person to ask this question, because my requirements are completely different from the requirements of people usually installing the software. Whenever possible I take software that is small and does only the required task so that the codebase can be audited very easily before usage.

Does any other bug exist that you didn’t publish?

In PHP there are still a number of vulnerabilities that are not published or even not reported yet. There are also several vulnerabilities that were reported but not yet fixed.

Is it possible to know which are?

Well once the PHP developers have fixed the reported stuff o released updates there will be an advisory that explains the vulnerabilities. At the moment I am not giving more information out, sorry.