but to do so, they would need to be on the box, and there are a bunch of better methods in that situation.
given that php's default install sets a max time limit of 30 seconds on a script timeout, it can't have run for 10+ minutes, nor is that a reasonable length of time for a DoS on a monitored box. This isn't really an exploit, just bad coding. -----Original Message----- From: Dustin E. Childers [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:10 AM To: Jason Murray Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ ----- Original Message ----- From: "Jason Murray" <[EMAIL PROTECTED]> To: "'Dustin E. Childers'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 5:04 PM Subject: RE: [PHP] Nasty DoS in PHP > > It does not stop after its execution time. > > Is your PHP actually configured to stop running after 30 seconds, > though? Its the default, but you may have overridden it. > > > We have let this run for 10+ minutes to see if it would crash the > > server, and it did. > > Is it possible you're called set_time_limit() to increase the > script's timeout and thus allow it to run? > > > It does not affect the person that loads the code in the browser, > > just affects the server running the code. > > Well ... yeah. This is not surprising :p :) > > Either way, the fact still remains it's an infinite loop and you > just shouldn't write it. :) > > J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
