• CHEF-KOCH
    link
    fedilink
    arrow-up
    1
    arrow-down
    10
    ·
    edit-2
    3 years ago

    You did not prove any RCE. You linked to coding best practice. That is all.

    With this action you banned yourself from my community with this action, also learn the difference between RCE and CnC…

    • nutomicA
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      3 years ago

      You should read the big red warning in this link. The PHP developers clearly state that using the function on untrusted input allows for remote code execution. And ip-api.com (without TLS!) doesn’t seem very trustworthy.

      • CHEF-KOCH
        link
        fedilink
        arrow-up
        1
        arrow-down
        10
        ·
        edit-2
        3 years ago

        You usually need to bypass multiple OS defense mechanism + the IP database is public, so there is nothing you can leak that is not already known. As also explained taking over and abusing the OS mechanism is not that easy, often needs specific rights as well as the OS or and the php needs to be exploited. If you want to say that e.g. GET is insecure, that is an internet issue and not tools author problem.

        If we now question each and every single coding practice and misinterpret doomsday theories in it, no tool that is not already audited and inspected by thousands of people are left to use, and even then they also can still be attacked and exploited, point in open source is that you, if you find something and think you know it better help to fix it and not smear authors tool with doomsday theories. Internet was never designed to be secure, so shall I spread stop downloading files now, no I inspect, fix and test myself, which I did and I approved it.

        As said in original thread, you also can download manually a file and infect yourself. This is a common thing the OS must protect you from. IP-API com has not the highest standards but there are standards.

        I see this as troll attempt and therefore the ban remains. He did not had the guts to contact the original author, let me do his dirty work but apparently has time to create this disrespectful drama here.

        It is once again my time, I need to waste now, and I do not get paid for this, especially not to do other peoples work, which I clearly do not want, this is why I have my strong community rules. That said I do not support people who did not even wait until the author has time to respond, not everyone is 24 7 connected.

        • nutomicA
          link
          fedilink
          arrow-up
          9
          ·
          3 years ago

          You clearly dont know what remote code execution is, or even what TLS is for.

          • CHEF-KOCH
            link
            fedilink
            arrow-up
            1
            arrow-down
            9
            ·
            edit-2
            3 years ago

            I think you do not understand that abusing it requires more than just executing a random script, which you swipe under the carpet because it benefits your wrong conclusion. If you would know, you would realize the script would just crash, misbehave etc. it depends on platform, their protection mechanism etc.

            TLS also would not prevent someone if he already has access to the server to deliver malicious payload, encrypted or not plays no role, but let it go, you guys are bunch of amateurs. Your statement that they do not have TLS is wrong too which I debunked.

            I also do not wrongfully imply that because Lemmy does not support 2FA that it is automatically attackable and then smear your platform all over the place because I am not happy with best practices.

            It is not more or less secure than downloading unknown database to your PC and then executing it, creating doomsday scenarios is disrespectful and unproven. Especially on Linux ransomware is more ineffective than on e.g. Windows, so your horror scenarios, what if … is nonsense.

    • OsrsNeedsF2P
      link
      fedilink
      arrow-up
      8
      ·
      3 years ago

      I dunno bud, one of your responses was

      I use it and the tool works fine.

      Which is equally painful

      • CHEF-KOCH
        link
        fedilink
        arrow-up
        1
        arrow-down
        9
        ·
        3 years ago

        It is irrelevant since no RCE is proven.