I've recently been fuzzing the PHP interpreter, and took a UaF bug all the way from crashing-sample to weaponized code execution. Here is the first of several blog posts I plan to write about the process. https://blog.jmpesp.org/2020/01/fuzzing-php-with-domato.html …
-
-
Correct, and I tend to agree in theory. In fact this isn't even classified as a "security" bug due to the need for custom code. Makes sense. That said, as long as disable_functions is offered, users should reasonably expect it to be effective. This violates that control.pic.twitter.com/yVPo4OYiR0
-
Indeed. If safe_mode doesn't even exist anymore because it's not feasible, it seems a little counter-intuitive that disable_functions is still advertised as fine, and a viable way of preventing the use of unsafe PHP capabilities. https://www.php.net/manual/en/ini.core.php#ini.disable-functions … https://www.php.net/manual/en/ini.sect.safe-mode.php#ini.safe-mode …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.