Re: Crap Language Running On Crap OS = Double Sadness

Lawrence D'Oliveiro wrote this copyrighted missive and expects royalties:

PHP is bad enough as a language, and Windows is bad enough as an OS.
But put the two together, and you can get some real Greek tragedy
going. Look at this lovely combination where an OS is trying to be
helpful with substituting characters it doesn’t understand, together
with a language that has its own helpfulness, leading to a massive
security hole
>
<https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/>.

I wrote some PHP code once, long ago. Weird, uh, "language".

Anyway, from the article:

    CVE-2024-4577, as the vulnerability is tracked, stems from errors in the
    way PHP converts unicode characters into ASCII. A feature built into
    Windows known as Best Fit allows attackers to use a technique known as
    argument injection to pass user-supplied input into commands executed by an
    application, in this case, PHP. Exploits allow attackers to bypass
    CVE-2012-1823, a critical code execution vulnerability patched in PHP in
    2012.

    “While implementing PHP, the team did not notice the Best-Fit feature of
    encoding conversion within the Windows operating system,” researchers with
    Devcore, the security firm that discovered CVE-2024-4577, wrote. “This
    oversight allows unauthenticated attackers to bypass the previous
    protection of CVE-2012-1823 by specific character sequences. Arbitrary code
    can be executed on remote PHP servers through the argument injection
    attack.”

--
A man was reading The Canterbury Tales one Saturday morning, when his
wife asked "What have you got there?"  Replied he, "Just my cup and Chaucer."