Hacker News new | past | comments | ask | show | jobs | submit login
Upcoming Hardening in PHP (dustri.org)
69 points by mmsc 4 hours ago | hide | past | favorite | 6 comments





The linked CVE-2024-2961 article is a pretty fantastic read on its own:

https://www.ambionics.io/blog/iconv-cve-2024-2961-p1

People are so creative, I can't help but feel some hope for our future :)

reply


That’s for that. I’ve never seen it before. What a neat path they took.

reply


> I find it fascinating that people are putting so much efforts optimizing exploitation techniques, yet ~nobody bothers fixing them, even if it only takes a couple of lines of code and 20 minutes.

There's definite reward in having a 0-day. Either you can get a bounty, or sell it in the hacker-souk.

That "couple of lines of code and 20 minutes" is sort of in the eye of the beholder. If you are a highly-experienced language developer, the fixes are likely to be a lot more obvious, simpler, more comprehensive, and robust, than if you are a relatively junior IC.

reply


> Suggestion to make those parts read-only was rejected as a 0.6% performance impact was deemed too expensive for too little gain.

Big Oof. :( :( :(

reply


Are these issues very particular to PHP? Honest question, this is all above my current programming knowledge.

reply


The real question is why does PHP have so many bugs that it's so trivial to exploit?

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: