PHP is bad enough as a language, and Windows is bad enough as an OS.
But put the two together, and you can get some real Greek tragedy
going. Look at this lovely combination where an OS is trying to be
helpful with substituting characters it doesn’t understand, together
with a language that has its own helpfulness, leading to a massive
security hole
<https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/>.

Lawrence D'Oliveiro wrote this copyrighted missive and expects royalties:

> PHP is bad enough as a language, and Windows is bad enough as an OS.
> But put the two together, and you can get some real Greek tragedy
> going. Look at this lovely combination where an OS is trying to be
> helpful with substituting characters it doesn’t understand, together
> with a language that has its own helpfulness, leading to a massive
> security hole
>
> <https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/>.

I wrote some PHP code once, long ago. Weird, uh, "language".

Anyway, from the article:

CVE-2024-4577, as the vulnerability is tracked, stems from errors in the
way PHP converts unicode characters into ASCII. A feature built into
Windows known as Best Fit allows attackers to use a technique known as
argument injection to pass user-supplied input into commands executed by an
application, in this case, PHP. Exploits allow attackers to bypass
CVE-2012-1823, a critical code execution vulnerability patched in PHP in
2012.

“While implementing PHP, the team did not notice the Best-Fit feature of
encoding conversion within the Windows operating system,” researchers with
Devcore, the security firm that discovered CVE-2024-4577, wrote. “This
oversight allows unauthenticated attackers to bypass the previous
protection of CVE-2012-1823 by specific character sequences. Arbitrary code
can be executed on remote PHP servers through the argument injection
attack.”

--
A man was reading The Canterbury Tales one Saturday morning, when his
wife asked "What have you got there?" Replied he, "Just my cup and Chaucer."

Chris Ahlstrom <OFeem1987@teleworm.us> wrote:
>Lawrence D'Oliveiro wrote this copyrighted missive and expects royalties:
>
>> PHP is bad enough as a language, and Windows is bad enough as an OS.
>> But put the two together, and you can get some real Greek tragedy
>> going. Look at this lovely combination where an OS is trying to be
>> helpful with substituting characters it doesn’t understand, together
>> with a language that has its own helpfulness, leading to a massive
>> security hole
>>
>> <https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/>.
>
>I wrote some PHP code once, long ago. Weird, uh, "language".
>
>Anyway, from the article:
>
> CVE-2024-4577, as the vulnerability is tracked, stems from errors in the
> way PHP converts unicode characters into ASCII. A feature built into
> Windows known as Best Fit allows attackers to use a technique known as
> argument injection to pass user-supplied input into commands executed by an
> application, in this case, PHP. Exploits allow attackers to bypass
> CVE-2012-1823, a critical code execution vulnerability patched in PHP in
> 2012.
>
> “While implementing PHP, the team did not notice the Best-Fit feature of
> encoding conversion within the Windows operating system,” researchers with
> Devcore, the security firm that discovered CVE-2024-4577, wrote. “This
> oversight allows unauthenticated attackers to bypass the previous
> protection of CVE-2012-1823 by specific character sequences. Arbitrary code
> can be executed on remote PHP servers through the argument injection
> attack.”

Clearly, this is the result of M$'s obsession with, essentially,
bloat. It's like they would say about "liberals", never a tax
increase they didn't like (not that I'm against higher taxes, but it
is a sort of analogy), Microsoft will add any "feature" imaginable, so
we end up with this new AI hardware requirement, as if intelligent
people would need that, good lord, I had only begun to sense how
doomed my upgrade path was with Win11. Turns out, the sooner I
switched back to Linux, the better, and there is *NO* turning back,
for damn sure.

--
Joel W. Crump

Amendment XIV
Section 1.

[...] No state shall make or enforce any law which shall
abridge the privileges or immunities of citizens of the
United States; nor shall any state deprive any person of
life, liberty, or property, without due process of law;
nor deny to any person within its jurisdiction the equal
protection of the laws.

Dobbs rewrites this, it is invalid precedent. States are
liable for denying needed abortions, e.g. TX.

On Sat, 8 Jun 2024 06:49:16 -0400, Chris Ahlstrom wrote:

> I wrote some PHP code once, long ago. Weird, uh, "language".

We have one programmer who loves PHP, generally some obsolete version. I
always expected a cage match between him and our QA head. She had been a
web designer and could make an acceptable looking page with css. At least
with what he produced the crap you got wasn't susceptible to styling and
like most programmers he was not any good at UX.

On Sat, 08 Jun 2024 07:25:27 -0400, Joel wrote:

> Clearly, this is the result of M$'s obsession with, essentially, bloat.
> It's like they would say about "liberals", never a tax increase they
> didn't like (not that I'm against higher taxes, but it is a sort of
> analogy), Microsoft will add any "feature" imaginable, so we end up with
> this new AI hardware requirement, as if intelligent people would need
> that, good lord, I had only begun to sense how doomed my upgrade path
> was with Win11. Turns out, the sooner I switched back to Linux, the
> better, and there is *NO* turning back, for damn sure.

I think the automotive industry has changed or maybe it's just I can't
tell cars apart anymore. When I was a kid, any self-respecting male could
tell a '56 Chevy from a '57 Chevy from a block away, let alone a '57 Ford
We were also attuned to how many fake portholes a Buick had. That
apparently hasn't gone away.

https://www.macsmotorcitygarage.com/buick-portholes-a-10-minute-history/

Anyway the engines and running gear seldom changed. It was just sheet
metal to generate new sales as people tried to keep up with the Joneses.
It also helped that cars were pretty much burned out at 75,000 miles.

Anyway, MS, and to a good extent the Linux DE people, are always looking
for something new and different, not necessarily any better. Right now the
AI race is the driving force. Manufacturers are hoping to drive up lagging
sales, and MS is trying to stay ahead of Google and Apple. New sheet
metal.

Some investors are starting to bet the AI craze will collapse. I tend to
agree since the prior iterations were always oversold and collapsed.

On 8 Jun 2024 19:26:30 GMT, rbowman wrote:

> At least with what he produced the crap you got wasn't susceptible to
> styling and like most programmers he was not any good at UX.

I took over development of a significant-sized PHP app that was written
for a client by a previous freelancer.

It had stylesheets in it to begin with, so I suppose that’s something.

I have fixed various brain-deadness in the code (e.g. the usual database
sloppiness) as I have had to touch parts of it to add features, fix bugs
etc.

I like to go back to Python after a PHP session to ... kind of ... get the
taste out of my mouth ...

On 8 Jun 2024 19:41:31 GMT, rbowman wrote:

> Anyway, MS, and to a good extent the Linux DE people, are always looking
> for something new and different, not necessarily any better.

Spot the difference: One of those wants to give you more choice, the other
wants to take it away.