It really sounds like someone needed something to write so they come to HN and write a article based off what everyone in the thread has said without adding anything of value.
It's worth noting that a simple input-sanitizing if statement applied across the $_REQUEST variable can eliminate this vulnerability, a measure that every PHP dev can use right now regardless of admin access to compile a new executable.
Also, yesterday, there was a poster in here claiming that PHP's json_decode() of an object like {"motb":"2.22507385851e-308"} would trigger the vulnerability whether the number was enclosed in quotes or not. I have since determined that this claim is false, json_decode() did not trigger the problem with or even without the quotes. In fact, the only way I was able to reliably cause the crash was by casting variables from the $_REQUEST array as float - a behavior that can be safeguarded against pretty easily.
Obviously, this is a serious issue, but it's an attack apps can be hardened against with minimal effort. For comparison, a buffer overflow vuln on the string type would be much, much more disastrous. So we're going to have to run an extra line of input sanitization for a while, that's all.
I haven't heard it used this this type of situation before, but I believe the Mark of the Beast is commonly referenced as an "evil number", so I suppose it works in this instance.
[+] [-] yuvadam|15 years ago|reply
Either address a technical crowd, and use proper technical terms, or use plain language anyone can understand.
"GET protocol"?
"adding a “-ffloat-store” flag to CFLAGS"??? Do they even know what this means?
[+] [-] veb|15 years ago|reply
[+] [-] Udo|15 years ago|reply
Also, yesterday, there was a poster in here claiming that PHP's json_decode() of an object like {"motb":"2.22507385851e-308"} would trigger the vulnerability whether the number was enclosed in quotes or not. I have since determined that this claim is false, json_decode() did not trigger the problem with or even without the quotes. In fact, the only way I was able to reliably cause the crash was by casting variables from the $_REQUEST array as float - a behavior that can be safeguarded against pretty easily.
Obviously, this is a serious issue, but it's an attack apps can be hardened against with minimal effort. For comparison, a buffer overflow vuln on the string type would be much, much more disastrous. So we're going to have to run an extra line of input sanitization for a while, that's all.
[+] [-] RobertKohr|15 years ago|reply
[+] [-] dmoney|15 years ago|reply
[+] [-] Refringe|15 years ago|reply
What it actually means: http://en.wikipedia.org/wiki/Number_of_the_Beast
[+] [-] dsghrtkty|15 years ago|reply
[deleted]