Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Tuesday December 12 2017, @03:51AM   Printer-friendly
from the fuzzy-illogic dept.

Submitted via IRC for SoyCow8317

Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.

The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi. The expert says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

[...] The researcher released XDiFF as an open source project on GitHub. A more detailed presentation of the testing procedure and all the vulnerabilities is available in Arnaboldi's research paper named "Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing."

Source: https://www.bleepingcomputer.com/news/security/secure-apps-exposed-to-hacking-via-flaws-in-underlying-programming-languages/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by DannyB on Tuesday December 12 2017, @05:00PM (1 child)

    by DannyB (5839) Subscriber Badge on Tuesday December 12 2017, @05:00PM (#608790) Journal

    I seem to remember a serious PHP vulnerability some months back. A web app processing a URL could be compromised. Because it uses CURL to do the URL processing. And CURL, which was never designed to be used in a web application, has buckets and ooodles of fantastical flexible goodness in complex ways it can process requests. Thus PHP inherits those same fantastical features. Which lead to remote code execution. A vulnerability created by a complex fairly obscure interaction of PHP with CURL in order that PHP implementers could lazily use CURL.

    So a web application that could seeming harmlessly allow a user to, say, fetch an image from a remote location and upload it as their, say, avatar or logo, could trigger remote code execution through a carefully crafted URL with whipped cream added.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Thursday December 14 2017, @12:44AM

    by Anonymous Coward on Thursday December 14 2017, @12:44AM (#609514)

    yes, and IIRC those functions were supposed to be disabled in php.ini by anyone who pays attention to security.