Actually, it occurs on Solaris as well. I just coded up the script, and 
it brought my server to its knees, though I was able to break it before 
it hanged hard.

My configuration:

  * Solaris 8 108528-12
  * PHP 4.1.1 as an executable (didn't try through Apache)
  * 512mb ram, 1 @ 440MHx UltraSPARC IIi

My php.ini specifies:

  * max_execution_time = 120
  * memory_limit = 128M

Yet, I let the script run for a while (over two minutes) and it had 
managed to consume 80% of my cpu time and over one gig of virtual memory 
(phys + swap)!

It should be noted that while this is indeed a "very bad thing," the 
following snippet of C code is just as bad, yet it's not technically a 
bug -- just bad programming:

int main(void)
    void *p;
    while (1)
       p = malloc(1024);
    return 0;


Jason Murray wrote:
>>I'd be interested in knowing your versions and the versions 
>>of the first guy that posted about this. Maybe he has the same 
>>setup as me, or close enough, but both of us are different 
>>from you. 
> Actually, I just thought about it - maybe you guys are both running
> it on Windows (shame on you ;)).
> I *have* actually seen PHP bring down IIS with a setcookie command.
> Since a setcookie issues headers, I thought "fine, screw you, I'll
> set the headers myself", and it STILL brought IIS down. And indeed,
> the load *did* skyrocket and require a reboot of the server.
> I asked around here at the time if anyone had experienced this (look
> through the mailing list archive to find it) and at the time got
> more of a congratulatory salute from the list members than any real
> responses :)
> Maybe this is more of a PHP-on-IIS issue than an actual security
> issue in PHP.
> Jason


/---------------------------------------------=[ BILLY S HALSEY ]=--\
| Member of Technical Staff, Sun Microsystems, Inc. ESP Solaris SW  |
| "All opinions and technical advice offered in this message are my |
| own and not necessarily endorsed by my employer."                 |
\--=[ [EMAIL PROTECTED] ]=--------------------------------------------/

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to