Sujet : Re: Crap Language Running On Crap OS = Double Sadness
De : OFeem1987 (at) *nospam* teleworm.us (Chris Ahlstrom)
Groupes : comp.os.linux.advocacyDate : 08. Jun 2024, 12:49:16
Autres entêtes
Organisation : None
Message-ID : <v41cvc$2ipqm$2@dont-email.me>
References : 1
User-Agent : slrn/1.0.3 (Linux)
Lawrence D'Oliveiro wrote this copyrighted missive and expects royalties:
PHP is bad enough as a language, and Windows is bad enough as an OS.
But put the two together, and you can get some real Greek tragedy
going. Look at this lovely combination where an OS is trying to be
helpful with substituting characters it doesn’t understand, together
with a language that has its own helpfulness, leading to a massive
security hole
>
<https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/>.
I wrote some PHP code once, long ago. Weird, uh, "language".
Anyway, from the article:
CVE-2024-4577, as the vulnerability is tracked, stems from errors in the
way PHP converts unicode characters into ASCII. A feature built into
Windows known as Best Fit allows attackers to use a technique known as
argument injection to pass user-supplied input into commands executed by an
application, in this case, PHP. Exploits allow attackers to bypass
CVE-2012-1823, a critical code execution vulnerability patched in PHP in
2012.
“While implementing PHP, the team did not notice the Best-Fit feature of
encoding conversion within the Windows operating system,” researchers with
Devcore, the security firm that discovered CVE-2024-4577, wrote. “This
oversight allows unauthenticated attackers to bypass the previous
protection of CVE-2012-1823 by specific character sequences. Arbitrary code
can be executed on remote PHP servers through the argument injection
attack.”
-- A man was reading The Canterbury Tales one Saturday morning, when hiswife asked "What have you got there?" Replied he, "Just my cup and Chaucer."