Except for PHP’s insane RFI problem, the web tier vulns as bad as RCE are all shared by C. Even unmarshalling!
-
-
I don't claim C inherently fares better here, just maybe not significantly worse.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @phryanjr
It’s worse! Because in addition to SQLI, file access vulns, and races, you also get memory corruption.
1 reply 0 retweets 0 likes -
What additional value does that give an attacker for a webapp with a modern containerized deployment?
1 reply 0 retweets 0 likes -
Replying to @RichFelker @phryanjr
The exact same thing SQLI gives you: game over for that application.
1 reply 0 retweets 0 likes -
I am not disputing that SQLI is as bad as RCE. It almost always is.
1 reply 0 retweets 0 likes -
I’m saying two game-over vectors is worse than one.
1 reply 0 retweets 1 like -
(incidentally: my faith in “containerization” as protection for losing code execution: not at all high)
2 replies 0 retweets 2 likes -
I don't see most use as a "protection"; rather it just makes throwing away & replacing a compromised environment easy.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @phryanjr
Yes, but to do that, you have to trust that the host isn’t compromised, and you probably shouldn’t.
2 replies 0 retweets 0 likes
Well that's Amazon's/Google's/whoever's problem... ;-)
-
-
Replying to @RichFelker @phryanjr
Sure. But contrast with EC2 virtualization, which most people do sort of trust.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.