(no title)
s_q_b | 9 years ago
The fixes are code reviewed, but not merged, because the developers don't seem to understand PHP-into-C null string terminator vulnerabilities, or type juggling, or strict comparison, or... I could go on.
PHP is unsafe at any speed, because it almost invites arbitrary code execution through a number of vectors. It isn't inherently bad if used correctly, as most Facebook developers will tell you, but the language structure involves quite a number of insecure practices.
After all, most programmers don't expect:
<?php 0 == "string"; ?> to be true.
merb|9 years ago
nobody would expect that
dozzie|9 years ago
xerophyte12932|9 years ago
avg_dev|9 years ago
s_q_b|9 years ago
As for the framework, that's RDK-B. http://rdkcentral.com http://code.rdkcentral.com https://github.com/rdkcmf
The deeper you look, the worse it gets. Those php issues are very trivial, first glance type stuff. Some need a bit of a twist to make exploitable, but another will strip the encryption right off the hidden network.
I have others I wish to disclose, but I can't seem to get them to respond to my requests for a PoC. Quite frankly, I'm shocked that I can't seem to get anyone to realize how serious the impact of an RCE vulnerability in a framework fielded that widely truly is.
If you find any of more serious things I'm talking about on your own, wait for the vendors to fix them. Please don't brick the world.
meowface|9 years ago
They should still be fixed, but I believe these bugs are no longer an issue in PHP after 5.3.
mamcx|9 years ago
Is BAD. Imagine if a car was made with the same "design".
A tool is BAD if the user must patch to overcome the inherent behaviour it show.
ufo|9 years ago
ufo|9 years ago