[PHP] Nasty DoS in PHP
Hello.
I have found something interesting that can kill the server. I'm not sure if this is
because of Apache or PHP. If you use PHP to send a header() inside of a while loop,
the httpd process will begin to use massive CPU and Memory until it is killed, or the
server is killed. Here is what I used:
?
while(01) {
header(A);
}
?
We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 4.2.0RC4.
It was able to completly kill our servers (not apache, the entire server). The loads
of the server will reach 50+. I have contacted apache about this and they said that it
is PHP related.
Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/
Re: [PHP] Nasty DoS in PHP
php.ini:
memory_limit = 8M ; Maximum amount of memory a script may consume
(8MB)
That is in there, I execute the code from a browser.
ps aux:
nobody 60155 84.6 16.8 88644 87424 ?? R 5:15PM 0:23.23
/www/bin/httpd
using 84.6% of CPU and 16.8% of Memory.
Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/
- Original Message -
From: Rasmus Lerdorf [EMAIL PROTECTED]
To: Dustin E. Childers [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, April 17, 2002 12:58 PM
Subject: Re: [PHP] Nasty DoS in PHP
Turn on the memory-limit option
On Wed, 17 Apr 2002, Dustin E. Childers wrote:
Hello.
I have found something interesting that can kill the server. I'm not
sure if this is because of Apache or PHP. If you use PHP to send a header()
inside of a while loop, the httpd process will begin to use massive CPU and
Memory until it is killed, or the server is killed. Here is what I used:
?
while(01) {
header(A);
}
?
We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2
and 4.2.0RC4. It was able to completly kill our servers (not apache, the
entire server). The loads of the server will reach 50+. I have contacted
apache about this and they said that it is PHP related.
Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
It does not stop after its execution time. We have let this run for 10+
minutes to see if it would crash the server, and it did. It does not affect
the person that loads the code in the browser, just affects the server
running the code.
Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/
- Original Message -
From: Jason Murray [EMAIL PROTECTED]
To: 'Dustin E. Childers' [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, April 17, 2002 4:45 PM
Subject: RE: [PHP] Nasty DoS in PHP
I have found something interesting that can kill the server.
I'm not sure if this is because of Apache or PHP. If you use
PHP to send a header() inside of a while loop, the httpd
process will begin to use massive CPU and Memory until it is
killed, or the server is killed. Here is what I used:
?
while(01) {
header(A);
}
?
Umm, but, this is an infinite loop. It won't stop executing.
Actually, it *should* stop executing once PHP hits its maximum
execution time limit (usually 30 seconds).
If you code something like this into pages, you've got bigger
problems than a DoS attack.
It's also not strictly a DoS since you'd be doing it to yourself
if you ran this code. Of course, if you're silly enough to let
visitors to your website upload and execute arbitrary code then
there are, again, bigger problems (such as possibly comprimising
root access, fetching /etc/passwd and guessing passwords, or
getting access to other sensitive information on your file
system).
Unless there's something specifically bad about the Header()
command (you didn't make it clear if this is what you were
talking about), inifinite loops are, in general, bad.
Jason
--
Jason Murray
[EMAIL PROTECTED]
Web Developer, Melbourne IT
Work now, freak later!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:04 PM Subject: RE: [PHP] Nasty DoS in PHP It does not stop after its execution time. Is your PHP actually configured to stop running after 30 seconds, though? Its the default, but you may have overridden it. We have let this run for 10+ minutes to see if it would crash the server, and it did. Is it possible you're called set_time_limit() to increase the script's timeout and thus allow it to run? It does not affect the person that loads the code in the browser, just affects the server running the code. Well ... yeah. This is not surprising :p :) Either way, the fact still remains it's an infinite loop and you just shouldn't write it. :) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
If the user has enough access to the server to place files on it ? There are hosting places that have PHP and you can just upload the PHP script through FTP and access it in your browser. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:14 PM Subject: RE: [PHP] Nasty DoS in PHP It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. But, if the user has enough access to the server to place files on it, then they can do much, much worse stuff than running an infinite loop in PHP. Like I said, if it gets to that point you have bigger problems. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
You can't upload a binary file to a server and access it through a web browser. The most it will do is either show the 'source' for file or ask you to download it. Yes, this is probably not a major DoS attack..and there aren't many free hosts out there that have PHP support. The most you could probably do is take out your own server, but you never know what script kiddies are willing to do in order to take down a server. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: James Cox [EMAIL PROTECTED] To: Dustin E. Childers [EMAIL PROTECTED]; Jason Murray [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:28 PM Subject: RE: [PHP] Nasty DoS in PHP so why not upload a binary file and execute that ? quick root-kit later and you're in. -Original Message- From: Dustin E. Childers [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:22 AM To: Jason Murray Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP If the user has enough access to the server to place files on it ? There are hosting places that have PHP and you can just upload the PHP script through FTP and access it in your browser. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:14 PM Subject: RE: [PHP] Nasty DoS in PHP It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. But, if the user has enough access to the server to place files on it, then they can do much, much worse stuff than running an infinite loop in PHP. Like I said, if it gets to that point you have bigger problems. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
