Submitted via IRC for SoyCow8317
Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.
The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi. The expert says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.
[...] The researcher released XDiFF as an open source project on GitHub. A more detailed presentation of the testing procedure and all the vulnerabilities is available in Arnaboldi's research paper named "Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing."
(Score: 2) by DannyB on Tuesday December 12 2017, @05:00PM (1 child)
I seem to remember a serious PHP vulnerability some months back. A web app processing a URL could be compromised. Because it uses CURL to do the URL processing. And CURL, which was never designed to be used in a web application, has buckets and ooodles of fantastical flexible goodness in complex ways it can process requests. Thus PHP inherits those same fantastical features. Which lead to remote code execution. A vulnerability created by a complex fairly obscure interaction of PHP with CURL in order that PHP implementers could lazily use CURL.
So a web application that could seeming harmlessly allow a user to, say, fetch an image from a remote location and upload it as their, say, avatar or logo, could trigger remote code execution through a carefully crafted URL with whipped cream added.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 0) by Anonymous Coward on Thursday December 14 2017, @12:44AM
yes, and IIRC those functions were supposed to be disabled in php.ini by anyone who pays attention to security.