@andrewfeeney It feels over-hyped, as PHP security issues often are. 😔
I'm 50/50 on it being an interesting academic vulnerability that affects a very specific configuration and some specific apps, vs it affecting apps like WordPress that try to do magic language handling.
@mergy@cabbey@valorin@andrewfeeney nice thing about the manual fix is that, real talk, there are servers i wont update not even once at all during 2024. lol.
@bobmagicii@mergy@cabbey@andrewfeeney
Yeah, definitely. But in that case, you're making the choice to do manual upgrades. I'm thinking of folks who have servers they don't closely manage. A simple apt update is much easier than manual steps.
@bobmagicii oh yeah, there's certainly something to be said for being able to just ssh into a box, boot the encoding out of the support list and rebuild the iconv catalogs. :)
@andrewfeeney I'm not really a security guy...
Does this hack/bug require access to the server? Like terminal access or something? Some malicious code to be uploaded? Or how does it work?
And then, if it requires terminal access or something similar that normal people visiting sites don't have, how real/high is the risk then?
@arnan No, it does not require shell access. Shell access would be what someone might be able to achieve if they successfully exploited it. My understanding is that someone could craft an HTTP request to a PHP powered web app which could allow them to access or manipulate memory of the host in another process, allowing them to access and/or control that host directly. We haven't seen any successful implementations of an exploit, though the researcher who disclosed this reveals theirs on May 10.
But assumed worst case: there is some magic string that if they can get your web server to spit it out, in that encoding, can be used to dump anything php has access to… or run any arbitrary assembly… as your php user.
There are probably a dozen lesser degrees too.
Disclaimer: I’m not a security researcher either… it’s been 20+ years since I sat down and crawled through any code looking for malicious ways to abuse it.
@bobmagicii@andrewfeeney
The video is a third party speculating based on the CVE description and the conference talk abstract the researcher is presenting.
@valorin@bobmagicii While LowLevelLearning is a legit security researcher by trade (as far as I understand anyway) I suppose it's true that he has a financial incentive to overstate the impact of a CVE to get views. I'm not saying that's his conscious intention here, but it's worth considering. I was just surprised that I heard it first through his video. Turns out others like @j3j5 had been already talking about it here, I just missed it.
I wasn't aware of him before this, but he came across in the video as someone who knew his stuff about infosec - even if he was just speculating about this specific issue.
I guess YT requires hyping up videos to get engagement, etc, though, so he does what he needs to do... 🤷
But I'm always frustrated when I see PHP-ecosystem vulns hyped up, because you can guarantee some ignorant executive is going to blindly reject PHP because "it's insecure".
@valorin@bobmagicii@j3j5 eh, I dunno... this was my first exposure to him as well and frankly the fact that he called utf-8 "the encoding for English" basically put me into "lol, no." mode and closed the tab,. Thank you @andrewfeeney for the direct CVE link.
Add comment