Upcoming Hardening in PHP

 (dustri.org)

54 points | by mmsc 8 days ago

6 comments

  • ChrisMarshallNY 2 hours ago
    > I find it fascinating that people are putting so much efforts optimizing exploitation techniques, yet ~nobody bothers fixing them, even if it only takes a couple of lines of code and 20 minutes.

    There's definite reward in having a 0-day. Either you can get a bounty, or sell it in the hacker-souk.

    That "couple of lines of code and 20 minutes" is sort of in the eye of the beholder. If you are a highly-experienced language developer, the fixes are likely to be a lot more obvious, simpler, more comprehensive, and robust, than if you are a relatively junior IC.

  • metadat 1 hour ago
    The linked CVE-2024-2961 article is a pretty fantastic read on its own:

    https://www.ambionics.io/blog/iconv-cve-2024-2961-p1

    People are so creative, I can't help but feel some hope for our future :)

    [-]
    • MBCook 49 minutes ago
      That’s for that. I’ve never seen it before. What a neat path they took.
  • justinclift 1 hour ago
    > Suggestion to make those parts read-only was rejected as a 0.6% performance impact was deemed too expensive for too little gain.

    Big Oof. :( :( :(

  • urban_alien 1 hour ago
    Are these issues very particular to PHP? Honest question, this is all above my current programming knowledge.
  • Abismith 41 minutes ago
    [dead]
  • mgaunard 1 hour ago
    The real question is why does PHP have so many bugs that it's so trivial to exploit?