It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down.
Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ ----- Original Message ----- From: "Jason Murray" <[EMAIL PROTECTED]> To: "'Dustin E. Childers'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 5:04 PM Subject: RE: [PHP] Nasty DoS in PHP > > It does not stop after its execution time. > > Is your PHP actually configured to stop running after 30 seconds, > though? Its the default, but you may have overridden it. > > > We have let this run for 10+ minutes to see if it would crash the > > server, and it did. > > Is it possible you're called set_time_limit() to increase the > script's timeout and thus allow it to run? > > > It does not affect the person that loads the code in the browser, > > just affects the server running the code. > > Well ... yeah. This is not surprising :p :) > > Either way, the fact still remains it's an infinite loop and you > just shouldn't write it. :) > > J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php