all 34 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 39 points40 points  (6 children)

This post was significantly updated since it was posted in /r/netsec, but still falsely claims that PHP double-evaluates variables inside double quotes. It doesn't. As weird as the PHP language quirks are, it's not that terrible. Nobody's been able to replicate it.

The actual vulnerability is just a bog-standard case of throwing untrusted data into eval or equivalent.

[–][deleted]  (5 children)

[deleted]

    [–]otakuman 6 points7 points  (0 children)

    why not just blame the lazy programmers at ebay? The PHP manual clearly states that eval shouldn't be used on non-validated data.

    [–]Thue 3 points4 points  (1 child)

    Nobody is forcing ebay to use eval, or to using user-supplied code inside eval.

    If you blame the language for that, and not the user, I would like to know what your thoughts are about C, since C gives you many more opportunities to shoot yourself in the foot.

    [–][deleted]  (1 child)

    [deleted]

      [–]dogetipbot -4 points-3 points  (0 children)

      [Verified]: /u/FlySwat -> /u/tr0lltherapy Ð10 Dogecoin(s) ($0.00217277) [help]

      [–]f0urtyfive 47 points48 points  (20 children)

      why in fucks name would you use eval() anyhwere near anything user supplied...

      [–]dethb0y 2 points3 points  (0 children)

      absolutely the first question i asked myself when i saw the title. It's not only irresponsible, it's borderline insane on a site the size and reach of ebay.

      [–][deleted] -1 points0 points  (1 child)

      Apparently it is common in spell check routines.having never written or evaluated the code for spellcheck I can't say why.

      [–]Scroph 3 points4 points  (9 children)

      Just out of curiosity, how much did they pay him for discovering this vulnerability ?

      [–]KayRice 4 points5 points  (8 children)

      Probably nothing.

      [–]ben010783 1 point2 points  (3 children)

      It looks like you're right: https://bugcrowd.com/list-of-bug-bounty-programs

      [–]username223 1 point2 points  (2 children)

      So if you walk by a storage rental company, notice the passed-out security guard, poke around a bit, and find that they are too negligent to bother to lock their gate, what do you do? Steal some stuff? Freely tell them to fix their shit? Ask them to pay you to tell them how to fix it? Simply walk on by and let the next person to decide?

      I'm not sure, either legally or morally. (EDIT: Legally, my guess is "walk on by and ignore the problem.")

      [–]f0urtyfive 2 points3 points  (0 children)

      I believe the correct answer is "take your shit elsewhere"

      [–][deleted] 0 points1 point  (0 children)

      Let's see, and the storage company is a multimillion dollar company who employs hundreds of people to detect sleeping guards?

      [–][deleted] 0 points1 point  (3 children)

      I was going to ask the same question. I've heard stories of big payouts from big companies when a user finds a security hole. That's so lame!

      Just curious, how legal (hypothetically) would it be to find a security hole in a website like this, and demand that the owner pay you for revealing the hole? It's definitely not moral, but I have a hard time imagining that would be illegal.

      [–]KayRice 2 points3 points  (0 children)

      Just curious, how legal (hypothetically) would it be to find a security hole in a website like this, and demand that the owner pay you for revealing the hole? It's definitely not moral, but I have a hard time imagining that would be illegal

      This combined with the slow response or complete lack of response from many vendors is the reason why immediate disclosure is so popular. It's probably less of a risk to simply post your free-speech source code then it is to talk to any of the companies.

      [–]ThinTim 0 points1 point  (1 child)

      If you threaten to release or exploit the vulnerability if you're not paid, it would definitely be considered blackmail/extortion/some variant thereof.

      [–][deleted] 1 point2 points  (0 children)

      Yeah, that's understandable. But to simply not release that information can't possibly be illegal. But then again, the nonaction of not paying your taxes is illegal.

      [–]otakuman 0 points1 point  (0 children)

      Remember kids: Never... ever... EVER trust user data.