Path: ...!weretis.net!feeder8.news.weretis.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Chris Ahlstrom Newsgroups: comp.os.linux.advocacy Subject: Re: Crap Language Running On Crap OS = Double Sadness Date: Sat, 8 Jun 2024 06:49:16 -0400 Organization: None Lines: 34 Message-ID: References: Reply-To: OFeem1987@teleworm.us MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Sat, 08 Jun 2024 12:49:17 +0200 (CEST) Injection-Info: dont-email.me; posting-host="0bfa1d85c1d2a92ca4ab17ef3136bc5f"; logging-data="2713430"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/L4pv4B3kspNZCSTrLNefA" User-Agent: slrn/1.0.3 (Linux) Cancel-Lock: sha1:1yPLmRQ7tNn0CC0bSxZCkrhbxHs= X-User-Agent: Microsoft Outl00k, Usenet K00k Editions X-Mutt: The most widely-used MUA X-Slrn: Why use anything else? Bytes: 2871 Lawrence D'Oliveiro wrote this copyrighted missive and expects royalties: > PHP is bad enough as a language, and Windows is bad enough as an OS. > But put the two together, and you can get some real Greek tragedy > going. Look at this lovely combination where an OS is trying to be > helpful with substituting characters it doesn’t understand, together > with a language that has its own helpfulness, leading to a massive > security hole > > . I wrote some PHP code once, long ago. Weird, uh, "language". Anyway, from the article: CVE-2024-4577, as the vulnerability is tracked, stems from errors in the way PHP converts unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to pass user-supplied input into commands executed by an application, in this case, PHP. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012. “While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system,” researchers with Devcore, the security firm that discovered CVE-2024-4577, wrote. “This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.” -- A man was reading The Canterbury Tales one Saturday morning, when his wife asked "What have you got there?" Replied he, "Just my cup and Chaucer."