• @X_Cli@lemmy.ml
    link
    fedilink
    22 years ago

    Yeah, you should ignore that person and their communities. That person is toxic and entirely clueless, based on their response in that thread (and some others) _ They are one of those trolls on Lemmy… and the admins seem to tolerate that person for some reasons, even though everybody complains about them.

    I had a good laugh reading your write-up :D

  • CHEF-KOCH
    link
    fedilink
    -3
    edit-2
    2 years ago

    You did not prove any RCE. You linked to coding best practice. That is all.

    With this action you banned yourself from my community with this action, also learn the difference between RCE and CnC…

    • @nutomic@lemmy.ml
      link
      fedilink
      1
      edit-2
      2 years ago

      You should read the big red warning in this link. The PHP developers clearly state that using the function on untrusted input allows for remote code execution. And ip-api.com (without TLS!) doesn’t seem very trustworthy.

      • CHEF-KOCH
        link
        fedilink
        -3
        edit-2
        2 years ago

        You usually need to bypass multiple OS defense mechanism + the IP database is public, so there is nothing you can leak that is not already known. As also explained taking over and abusing the OS mechanism is not that easy, often needs specific rights as well as the OS or and the php needs to be exploited. If you want to say that e.g. GET is insecure, that is an internet issue and not tools author problem.

        If we now question each and every single coding practice and misinterpret doomsday theories in it, no tool that is not already audited and inspected by thousands of people are left to use, and even then they also can still be attacked and exploited, point in open source is that you, if you find something and think you know it better help to fix it and not smear authors tool with doomsday theories. Internet was never designed to be secure, so shall I spread stop downloading files now, no I inspect, fix and test myself, which I did and I approved it.

        As said in original thread, you also can download manually a file and infect yourself. This is a common thing the OS must protect you from. IP-API com has not the highest standards but there are standards.

        I see this as troll attempt and therefore the ban remains. He did not had the guts to contact the original author, let me do his dirty work but apparently has time to create this necessary drama here.

        It is once again my time, I need to waste now, and I do not get paid for this, to do other peoples work, which I clearly do not want, this is why I have my strong community rules.

          • CHEF-KOCH
            link
            fedilink
            -1
            edit-2
            2 years ago

            I think you do not understand that abusing it requires more than just executing a random script, which you swipe under the carpet because it benefits your wrong conclusion. If you would know, you would realize the script would just crash, misbehave etc. it depends on platform, their protection mechanism etc.

            TLS also would not prevent someone if he already has access to the server to deliver malicious payload, encrypted or not plays no role, but let it go, you guys are bunch of amateurs. Your statement that they do not have TLS is wrong too which I debunked.

            I also do not wrongfully imply that because Lemmy does not support 2FA that it is automatically attackable and then smear your platform all over the place because I am not happy with best practices.

            It is not more or less secure than downloading unknown database to your PC and then executing it, creating doomsday scenarios is disrespectful and unproven. Especially on Linux ransomware is more ineffective than on e.g. Windows, so your horror scenarios, what if … is nonsense.