TFA is plagued with technical inconsistencies, and generally looks like a classic copy-paste job.<p>Either address a technical crowd, and use proper technical terms, or use plain language anyone can understand.<p>"GET protocol"?<p>"adding a “-ffloat-store” flag to CFLAGS"??? Do they even know what this means?
It's worth noting that a simple input-sanitizing <i>if</i> statement applied across the $_REQUEST variable can eliminate this vulnerability, a measure that every PHP dev can use right now regardless of admin access to compile a new executable.<p>Also, yesterday, there was a poster in here claiming that PHP's json_decode() of an object like {"motb":"2.22507385851e-308"} would trigger the vulnerability whether the number was enclosed in quotes or not. I have since determined that this claim is false, json_decode() did not trigger the problem with or <i>even without</i> the quotes. In fact, the only way I was able to reliably cause the crash was by casting variables from the $_REQUEST array as float - a behavior that can be safeguarded against pretty easily.<p>Obviously, this is a serious issue, but it's an attack apps can be hardened against with minimal effort. For comparison, a buffer overflow vuln on the string type would be much, much more disastrous. So we're going to have to run an extra line of input sanitization for a while, that's all.