It does not stop after its execution time. We have let this run for 10+
minutes to see if it would crash the server, and it did. It does not affect
the person that loads the code in the browser, just affects the server
running the code.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.

----- Original Message -----
From: "Jason Murray" <[EMAIL PROTECTED]>
To: "'Dustin E. Childers'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 4:45 PM
Subject: RE: [PHP] Nasty DoS in PHP

> > I have found something interesting that can kill the server.
> > I'm not sure if this is because of Apache or PHP. If you use
> > PHP to send a header() inside of a while loop, the httpd
> > process will begin to use massive CPU and Memory until it is
> > killed, or the server is killed. Here is what I used:
> >
> > <?
> >   while(0<1) {
> >     header("A");
> >   }
> > ?>
> Umm, but, this is an infinite loop. It won't stop executing.
> Actually, it *should* stop executing once PHP hits its maximum
> execution time limit (usually 30 seconds).
> If you code something like this into pages, you've got bigger
> problems than a DoS attack.
> It's also not strictly a DoS since you'd be doing it to yourself
> if you ran this code. Of course, if you're silly enough to let
> visitors to your website upload and execute arbitrary code then
> there are, again, bigger problems (such as possibly comprimising
> root access, fetching /etc/passwd and guessing passwords, or
> getting access to other sensitive information on your file
> system).
> Unless there's something specifically bad about the Header()
> command (you didn't make it clear if this is what you were
> talking about), inifinite loops are, in general, bad.
> Jason
> --
> Jason Murray
> Web Developer, Melbourne IT
> "Work now, freak later!"

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to