Sujet : Re: Crap Language Running On Crap OS = Double Sadness
De : joelcrump (at) *nospam* gmail.com (Joel)
Groupes : comp.os.linux.advocacyDate : 08. Jun 2024, 13:25:27
Autres entêtes
Message-ID : <jmf86jtkd5bc4u3k0f9non3q8em8qer09g@4ax.com>
References : 1 2
User-Agent : ForteAgent/8.00.32.1272
Chris Ahlstrom <
OFeem1987@teleworm.us> wrote:
Lawrence D'Oliveiro wrote this copyrighted missive and expects royalties:
>
PHP is bad enough as a language, and Windows is bad enough as an OS.
But put the two together, and you can get some real Greek tragedy
going. Look at this lovely combination where an OS is trying to be
helpful with substituting characters it doesn’t understand, together
with a language that has its own helpfulness, leading to a massive
security hole
>
<https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/>.
>
I wrote some PHP code once, long ago. Weird, uh, "language".
>
Anyway, from the article:
>
CVE-2024-4577, as the vulnerability is tracked, stems from errors in the
way PHP converts unicode characters into ASCII. A feature built into
Windows known as Best Fit allows attackers to use a technique known as
argument injection to pass user-supplied input into commands executed by an
application, in this case, PHP. Exploits allow attackers to bypass
CVE-2012-1823, a critical code execution vulnerability patched in PHP in
2012.
>
“While implementing PHP, the team did not notice the Best-Fit feature of
encoding conversion within the Windows operating system,” researchers with
Devcore, the security firm that discovered CVE-2024-4577, wrote. “This
oversight allows unauthenticated attackers to bypass the previous
protection of CVE-2012-1823 by specific character sequences. Arbitrary code
can be executed on remote PHP servers through the argument injection
attack.”
Clearly, this is the result of M$'s obsession with, essentially,
bloat. It's like they would say about "liberals", never a tax
increase they didn't like (not that I'm against higher taxes, but it
is a sort of analogy), Microsoft will add any "feature" imaginable, so
we end up with this new AI hardware requirement, as if intelligent
people would need that, good lord, I had only begun to sense how
doomed my upgrade path was with Win11. Turns out, the sooner I
switched back to Linux, the better, and there is *NO* turning back,
for damn sure.
-- Joel W. CrumpAmendment XIVSection 1.[...] No state shall make or enforce any law which shall
abridge the privileges or immunities of citizens of the
United States; nor shall any state deprive any person of
life, liberty, or property, without due process of law;
nor deny to any person within its jurisdiction the equal
protection of the laws.
Dobbs rewrites this, it is invalid precedent. States are
liable for denying needed abortions, e.g. TX.