I crashed a server yesterday from PHP code that was trying to create an
image with GD.  The same scenerio happened in that my entire box froze. 
No keyboard control, no mouse, no CTRL-ALT-F2, nothing.

This was also due to a header() in an infinite loop.  From my
perspective I thought that was bad code, so I fixed it.  I don't see
this as a security risk.  Allowing someone to execute code on your
server is a security risk.  Writing bad code is writing bad code.

It would be interesting to see how linux handled the load.  I might test
again and see if other services will still accept remote connections
(maybe ssh or something).  But regardless, it is a good idea not to
write bad code, and to test on a development server just in case.



On Wed, 2002-04-17 at 20:25, Dustin E. Childers wrote:
> Hello.
> I have found something interesting that can kill the server. I'm not sure if this is 
>because of Apache or PHP. If you use PHP to send a header() inside of a while loop, 
>the httpd process will begin to use massive CPU and Memory until it is killed, or the 
>server is killed. Here is what I used:
> <?
>   while(0<1) {
>     header("A");
>   }
> ?>
> We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 
>4.2.0RC4. It was able to completly kill our servers (not apache, the entire server). 
>The loads of the server will reach 50+. I have contacted apache about this and they 
>said that it is PHP related.
> Dustin E. Childers
> Security Administrator. CEO, Digitux Security, Inc.
> http://www.digitux.net/

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to