Article <v41cvc$2ipqm$2@dont-email.me>

Deutsch English Français Italiano
<v41cvc$2ipqm$2@dont-email.me>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!weretis.net!feeder8.news.weretis.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Chris Ahlstrom <OFeem1987@teleworm.us>
Newsgroups: comp.os.linux.advocacy
Subject: Re: Crap Language Running On Crap OS = Double Sadness
Date: Sat, 8 Jun 2024 06:49:16 -0400
Organization: None
Lines: 34
Message-ID: <v41cvc$2ipqm$2@dont-email.me>
References: <v408a6$29nhl$2@dont-email.me>
Reply-To: OFeem1987@teleworm.us
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 08 Jun 2024 12:49:17 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="0bfa1d85c1d2a92ca4ab17ef3136bc5f";
	logging-data="2713430"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/L4pv4B3kspNZCSTrLNefA"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:1yPLmRQ7tNn0CC0bSxZCkrhbxHs=
X-User-Agent: Microsoft Outl00k, Usenet K00k Editions
X-Mutt: The most widely-used MUA
X-Slrn: Why use anything else?
Bytes: 2871

Lawrence D'Oliveiro wrote this copyrighted missive and expects royalties:

> PHP is bad enough as a language, and Windows is bad enough as an OS.
> But put the two together, and you can get some real Greek tragedy
> going. Look at this lovely combination where an OS is trying to be
> helpful with substituting characters it doesn’t understand, together
> with a language that has its own helpfulness, leading to a massive
> security hole
>
> <https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/>.

I wrote some PHP code once, long ago. Weird, uh, "language".

Anyway, from the article:

    CVE-2024-4577, as the vulnerability is tracked, stems from errors in the
    way PHP converts unicode characters into ASCII. A feature built into
    Windows known as Best Fit allows attackers to use a technique known as
    argument injection to pass user-supplied input into commands executed by an
    application, in this case, PHP. Exploits allow attackers to bypass
    CVE-2012-1823, a critical code execution vulnerability patched in PHP in
    2012. 

    “While implementing PHP, the team did not notice the Best-Fit feature of
    encoding conversion within the Windows operating system,” researchers with
    Devcore, the security firm that discovered CVE-2024-4577, wrote. “This
    oversight allows unauthenticated attackers to bypass the previous
    protection of CVE-2012-1823 by specific character sequences. Arbitrary code
    can be executed on remote PHP servers through the argument injection
    attack.”

-- 
	A man was reading The Canterbury Tales one Saturday morning, when his
wife asked "What have you got there?"  Replied he, "Just my cup and Chaucer."