Re: Crap Language Running On Crap OS = Double Sadness

Chris Ahlstrom <OFeem1987@teleworm.us> wrote:

Lawrence D'Oliveiro wrote this copyrighted missive and expects royalties:
>

PHP is bad enough as a language, and Windows is bad enough as an OS.
But put the two together, and you can get some real Greek tragedy
going. Look at this lovely combination where an OS is trying to be
helpful with substituting characters it doesn’t understand, together
with a language that has its own helpfulness, leading to a massive
security hole
>
<https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/>.

>
I wrote some PHP code once, long ago. Weird, uh, "language".
>
Anyway, from the article:
>
   CVE-2024-4577, as the vulnerability is tracked, stems from errors in the
   way PHP converts unicode characters into ASCII. A feature built into
   Windows known as Best Fit allows attackers to use a technique known as
   argument injection to pass user-supplied input into commands executed by an
   application, in this case, PHP. Exploits allow attackers to bypass
   CVE-2012-1823, a critical code execution vulnerability patched in PHP in
   2012.
>
   “While implementing PHP, the team did not notice the Best-Fit feature of
   encoding conversion within the Windows operating system,” researchers with
   Devcore, the security firm that discovered CVE-2024-4577, wrote. “This
   oversight allows unauthenticated attackers to bypass the previous
   protection of CVE-2012-1823 by specific character sequences. Arbitrary code
   can be executed on remote PHP servers through the argument injection
   attack.”

Clearly, this is the result of M$'s obsession with, essentially,
bloat.  It's like they would say about "liberals", never a tax
increase they didn't like (not that I'm against higher taxes, but it
is a sort of analogy), Microsoft will add any "feature" imaginable, so
we end up with this new AI hardware requirement, as if intelligent
people would need that, good lord, I had only begun to sense how
doomed my upgrade path was with Win11.  Turns out, the sooner I
switched back to Linux, the better, and there is *NO* turning back,
for damn sure.

--
Joel W. Crump

Amendment XIV
Section 1.

[...] No state shall make or enforce any law which shall
abridge the privileges or immunities of citizens of the
United States; nor shall any state deprive any person of
life, liberty, or property, without due process of law;
nor deny to any person within its jurisdiction the equal
protection of the laws.

Dobbs rewrites this, it is invalid precedent.  States are
liable for denying needed abortions, e.g. TX.