ID: 14707
Comment by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Bogus
Bug Type: Scripting Engine problem
Operating System: Any OS, any PHP version
PHP Version: 4.1.0
New Comment:
You must design the PHP scripting language in such way so everytime a
script ends (naturaly or forced), the PHP server must close all open
socket connections of the ending script by sending a TCP closing
request (FIN) to every opened socket. Also, the server administrator
should have the power to set the maximum simultaneous socket
connections for each server account.
Sorin Facaoaru - Sorin Media Inc.
Previous Comments:
------------------------------------------------------------------------
[2001-12-26 19:08:07] [EMAIL PROTECTED]
here's another discovery:
while(true)
mail("[EMAIL PROTECTED]", "this is a mailbomb", "blub");
------------------------------------------------------------------------
[2001-12-26 19:06:19] [EMAIL PROTECTED]
I forgot to /bogus
------------------------------------------------------------------------
[2001-12-26 19:04:23] [EMAIL PROTECTED]
well, DoS is nothing new. thanks for re-descovering it. this is not a
PHP bug (same problem applies to virtually any language: C, Python,
Perl ..). it's a general security issue. you might solve it by limiting
the amount of connections for an IP.
Kind Regards,
Daniel Lorch
------------------------------------------------------------------------
[2001-12-26 19:00:58] [EMAIL PROTECTED]
I discovered the bug when I tried to make a script that creates new
PHP processes that runs at the same time. Save the following script in
http://127.0.0.1/a.php, launch a.php and close the browser window:
<?$a=fsockopen("127.0.0.1", 80,$b,$c,99);fputs($a,"GET /a.php /
HTTP/1.1\r\nConnection: Keep-Alive\r\n\r\n");while(1);?>
Even if you have set execution script time for only several seconds,
my script will run forever and creates a huge number of instances of
itself that will create more instances. Practicaly the code above is a
120 bytes php virus that can turn down a web server in minutes.
The idea is that my script open a socket connection on port 80 on the
web server and sends command "get file a.php" and then waits until its
execution time gets end. Meanwhile, the web server tries to return
a.php so it executes it first so 2 instances of a.php will exists. The
new instance will open a new socket connection and so on.
My script can be modified to this (a.php):
<?while(1){$a=fsockopen("127.0.0.1", 80,$b,$c,99);fputs($a,"GET /a.php
/ HTTP/1.1\r\nConnection: Keep-Alive\r\n\r\n");}?>
and then every new instance of the script will launch as many instances
it can until it get ended by the maximum execution time end.
To fix the bug, when a PHP script ends, naturaly or forced, like you
unset all variables of the script, in the same way, you have to close
all opened sockets of the script and NOT let them pending. This will
only reduce the effects of the script
practicaly, if I make a script that registers 100 accounts or more at
www.MyCgiServer.com or at www.f2s.com and run an instance of a.php in
every account, that will mean the turning down of those web servers.
Conclusion: it is possible to build a php worm virus. Also it is
possible to make a script that runs forever, no matter what maximum
execution time is set. When running on my local Apache server, it
consumes 100% of my sistem's resources and my HDD is makeing a terrible
noise all time.
Author and copiright of the bug: Sorin Facaoaru - [EMAIL PROTECTED],
www.sorin.tv
Regards.
------------------------------------------------------------------------
Edit this bug report at http://bugs.php.net/?id=14707&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
