[flagged]
Critical is an overstatement but it userland PHP execution does not equate to native process control. There are many situations where an attacker may have constrained PHP execution, gadget execution, template or plugin…
Yea, that's what's confusing. some of these are like lower level slop but some are like genuine criticals. Floci, libssh2, c-ares, FFmpeg, and the PHP one are all LEGIT./ The Ghidra one for example, not so much. I cant…
I disagree. That FFmpeg code execution is absolutely nasty
Ghidra one is pretty weak, but I checked out the ones that were interesting to me (c-ares, libssh2, ffmpeg) and they seem to all work as of the latest upstream commit. Weird
[flagged]
Critical is an overstatement but it userland PHP execution does not equate to native process control. There are many situations where an attacker may have constrained PHP execution, gadget execution, template or plugin…
Yea, that's what's confusing. some of these are like lower level slop but some are like genuine criticals. Floci, libssh2, c-ares, FFmpeg, and the PHP one are all LEGIT./ The Ghidra one for example, not so much. I cant…
I disagree. That FFmpeg code execution is absolutely nasty
Ghidra one is pretty weak, but I checked out the ones that were interesting to me (c-ares, libssh2, ffmpeg) and they seem to all work as of the latest upstream commit. Weird