Stories
Slash Boxes
Comments

SoylentNews is people

Secure Apps Exposed to Hacking via Flaws in Underlying Programming Languages

posted by takyon on Tuesday December 12 2017, @03:51AM   Printer-friendly
from the fuzzy-illogic dept.

MrPlow writes:

Submitted via IRC for SoyCow8317

Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.

The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi. The expert says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

[...] The researcher released XDiFF as an open source project on GitHub. A more detailed presentation of the testing procedure and all the vulnerabilities is available in Arnaboldi's research paper named "Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing."

Source: https://www.bleepingcomputer.com/news/security/secure-apps-exposed-to-hacking-via-flaws-in-underlying-programming-languages/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Secure Apps Exposed to Hacking via Flaws in Underlying Programming Languages | Log In/Create an Account | Top | 34 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Insightful) by Anonymous Coward on Tuesday December 12 2017, @07:54PM (3 children)

    by Anonymous Coward on Tuesday December 12 2017, @07:54PM (#608887)

    Sooo did anyone else read the paper?

    One of the "remote exploitable" vuln categories is "don't use a hardcoded name in a .php that is called from another .php, when serving to the web, because calling the first directly with a parameter in the URL lets users specify arguments."

    It's like, really? This isn't a bug in the interpreter. This is a language-wide feature. This is literally how php takes GET and POST arguments. The "bug" would be in applications using such a broken idiom.

    Or am I, a neophyte PHPinhead, missing something?

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Total Score:   1  

  • (Score: 0) by Anonymous Coward on Tuesday December 12 2017, @09:23PM (2 children)

    by Anonymous Coward on Tuesday December 12 2017, @09:23PM (#608937)

    They aren't really huge exploits and most of this is overhyped. For example, one of the Python vulnerabilities requires changing the environment the program is in so that the PAGER variable points somewhere else. Hate to break it to you, but if you can change the pager, you can do a lot more than hope that the python script running eventually uses the specific method that relies on that.

    • (Score: 0) by Anonymous Coward on Tuesday December 12 2017, @09:37PM (1 child)

      by Anonymous Coward on Tuesday December 12 2017, @09:37PM (#608948)

      Well, that's a bit of a permission-upgrade possibility, one must grant.

      • (Score: 0) by Anonymous Coward on Wednesday December 13 2017, @02:54AM

        by Anonymous Coward on Wednesday December 13 2017, @02:54AM (#609062)

        No more so than the ability to change the environmental variable of a running process from the outside. To do so requires external debugging permission, which is (on most modern systems) either the same user or root. Root is, obviously, not in need of an upgrade, and the same user can already run the program directly without having to go to the trouble of making another process do it for them.