Friday, 11 May 2007

Know More About the PHP CVS

Stefan Esser talks about PHP vulnerabilities in his latest blog post. He is of the opinion that PHP security suffers because vulnerabilities in PHP are patched in the Concurrent Versions system (CVS) and it is disclosed to the public after a long time.

Stefan is concerned that even after a release, the general public does not know about these vulnerabilities. The reason is that they are not mentioned in the release announcement. He exemplifies by saying that it has happened before and continues with the release of PHP 5.2.2.

He talks about a bug in the mcrypt_create_iv() function which was reported and fixed that caused the IV generator to create always the same IV. The bug is a security that is not mentioned in the PHP 5.2.2 and PHP 4.4.7 release notes.