RE: [PHP] Nasty DoS in PHP
Mine produced the same error message as yours, Jason, but the memory and CPU usage continued until I hit the 'stop' button on the browser. It seemed to have overridden both time and memory limits, as it had racked up 320 megs of my RAM by the time I stopped it. It certainly didn't do that here, but it could be a difference between RAM, PHP and Apache versions (simple paranoia ;)) that causes it. PHP clearly sent the error *to my browser* and the browser stopped loading immediately (thus, the fatal error was indeed fatal, and PHP terminated at that time). J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
Very odd indeed. Well, here's my setup: Windoze2K PHP 4.1.2 Apache 1.3.something Accessing it via IE 6.0, although this should not have any bearing on anything I'd be interested in knowing your versions and the versions of the first guy that posted about this. Maybe he has the same setup as me, or close enough, but both of us are different from you. My browser just kept loading and loading like all was well, while task manager was skipping all over the place and I had to wait 5 - 10 seconds after I moved my mouse for the cursor to move. I timed the script, and after 30 secs, it was still going (although I stopped it soon thereafter to keep from having to reboot). So I reset php.ini's execution time limit down to 5 seconds and ran it twice more, and both times it went well past 5 seconds. Of course, none of this bothers me as I won't be putting while(01) { header(A) } into any of my scripts, nor was I ever planning on it! :) -Original Message- From: Jason Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 10:13 PM To: 'Jason Soza'; [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP Mine produced the same error message as yours, Jason, but the memory and CPU usage continued until I hit the 'stop' button on the browser. It seemed to have overridden both time and memory limits, as it had racked up 320 megs of my RAM by the time I stopped it. It certainly didn't do that here, but it could be a difference between RAM, PHP and Apache versions (simple paranoia ;)) that causes it. PHP clearly sent the error *to my browser* and the browser stopped loading immediately (thus, the fatal error was indeed fatal, and PHP terminated at that time). J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP | Windows only?
I'd be interested in knowing your versions and the versions of the first guy that posted about this. Maybe he has the same setup as me, or close enough, but both of us are different from you. Actually, I just thought about it - maybe you guys are both running it on Windows (shame on you ;)). I *have* actually seen PHP bring down IIS with a setcookie command. Since a setcookie issues headers, I thought fine, screw you, I'll set the headers myself, and it STILL brought IIS down. And indeed, the load *did* skyrocket and require a reboot of the server. I asked around here at the time if anyone had experienced this (look through the mailing list archive to find it) and at the time got more of a congratulatory salute from the list members than any real responses :) Maybe this is more of a PHP-on-IIS issue than an actual security issue in PHP. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP | Windows only?
- Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Jason Soza' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 11:36 PM Subject: RE: [PHP] Nasty DoS in PHP | Windows only? I'd be interested in knowing your versions and the versions of the first guy that posted about this. Maybe he has the same setup as me, or close enough, but both of us are different from you. Actually, I just thought about it - maybe you guys are both running it on Windows (shame on you ;)). I *have* actually seen PHP bring down IIS with a setcookie command. Since a setcookie issues headers, I thought fine, screw you, I'll set the headers myself, and it STILL brought IIS down. And indeed, the load *did* skyrocket and require a reboot of the server. I know what you are saying. I've taken down apache on win32 with setcookie I asked around here at the time if anyone had experienced this (look through the mailing list archive to find it) and at the time got more of a congratulatory salute from the list members than any real responses :) Maybe this is more of a PHP-on-IIS issue than an actual security issue in PHP. I'm pretty sure they ran PHP on apache, not IIS. Maybe this problem is only with the win32 version of the PHP module. Nonetheless, a bug is still a bug. It would be nice if it wasn't there=) Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP | Windows only?
I know what you are saying. I've taken down apache on win32 with setcookie [snip] I'm pretty sure they ran PHP on apache, not IIS. Maybe this problem is only with the win32 version of the PHP module. Yep, apparently I can't read. Apache, IIS, same header() probs. Nonetheless, a bug is still a bug. It would be nice if it wasn't there=) Agreed! :) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
Good day, Just reading this thread, figured I would put my $0.02 in. This is apparently a known problem. It seems to occur whenever the php script uses lots of memory, actually, and it does the same thing whether it's run standalone or as a module. I first experienced it when I had a PHP script load a 10 meg LDAP database into memory, which took some 90 Megs of RAM to do (overhead, I guess). If I ran the script standalone, it wouldn't quit right away. If it was run as a module, Apache would have to kill the child off (it logged this activity) if I asked Apache to shut down. If I ran the script a few times, all of the memory of the machine would be used up, and I'd have to kill off Apache to get it back. Darren Gamble Planner, Regional Services Shaw Cablesystems GP 630 - 3rd Avenue SW Calgary, Alberta, Canada T2P 4L4 (403) 781-4948 -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 12:10 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP Mine produced the same error message as yours, Jason, but the memory and CPU usage continued until I hit the 'stop' button on the browser. It seemed to have overridden both time and memory limits, as it had racked up 320 megs of my RAM by the time I stopped it. Jason -Original Message- From: Jason Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 9:57 PM To: 'CC Zona'; [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP So that was both as an Apache mod and a CGI binary? Sounds like it's reproducible. Running as an Apache module here, it terminated as expected at 30 seconds. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
Darren Gamble wrote: This is probably just one of those cases that by the time the application determines that its child has exceeded its configured limits in resources, there are not enough resources (memory in this case) left to do the housekeeping and kill off the child. An acceptable algorithm to handle this might be difficult, namely, Apache would possibly have to keep track of the amount of heap left to it, make a difficult decision to kill the child before it exceeded its configured limits. In the mean time, sendmail, running on the same machine as Apache, grabs a bunch of memory and Apache, doing its best with what it thinks is available, gets screwed anyway with its new, sophisticated algorithm. Sendmail dies too. Maybe kerneld dies too. The machine dies. Er, I'll leave this to the CS researchers. We ain't gonna solve problems like this. I am not even sure this is worth a bug report... If there could be a moral to this thread, it is, go buy a few more Gigs of memory. _justin === Good day, Just reading this thread, figured I would put my $0.02 in. This is apparently a known problem. It seems to occur whenever the php script uses lots of memory, actually, and it does the same thing whether it's run standalone or as a module. I first experienced it when I had a PHP script load a 10 meg LDAP database into memory, which took some 90 Megs of RAM to do (overhead, I guess). If I ran the script standalone, it wouldn't quit right away. If it was run as a module, Apache would have to kill the child off (it logged this activity) if I asked Apache to shut down. If I ran the script a few times, all of the memory of the machine would be used up, and I'd have to kill off Apache to get it back. Darren Gamble Planner, Regional Services Shaw Cablesystems GP 630 - 3rd Avenue SW Calgary, Alberta, Canada T2P 4L4 (403) 781-4948 -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 12:10 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP Mine produced the same error message as yours, Jason, but the memory and CPU usage continued until I hit the 'stop' button on the browser. It seemed to have overridden both time and memory limits, as it had racked up 320 megs of my RAM by the time I stopped it. Jason -Original Message- From: Jason Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 9:57 PM To: 'CC Zona'; [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP So that was both as an Apache mod and a CGI binary? Sounds like it's reproducible. Running as an Apache module here, it terminated as expected at 30 seconds. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Justin Farnsworth Eye Integrated Communications 321 South Evans - Suite 203 Greenville, NC 27858 | Tel: (252) 353-0722 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP | Windows only?
Actually, it occurs on Solaris as well. I just coded up the script, and it brought my server to its knees, though I was able to break it before it hanged hard. My configuration: * Solaris 8 108528-12 * PHP 4.1.1 as an executable (didn't try through Apache) * 512mb ram, 1 @ 440MHx UltraSPARC IIi My php.ini specifies: * max_execution_time = 120 * memory_limit = 128M Yet, I let the script run for a while (over two minutes) and it had managed to consume 80% of my cpu time and over one gig of virtual memory (phys + swap)! It should be noted that while this is indeed a very bad thing, the following snippet of C code is just as bad, yet it's not technically a bug -- just bad programming: int main(void) { void *p; while (1) p = malloc(1024); /*NOTREACHED*/ return 0; } /bsh/ Jason Murray wrote: I'd be interested in knowing your versions and the versions of the first guy that posted about this. Maybe he has the same setup as me, or close enough, but both of us are different from you. Actually, I just thought about it - maybe you guys are both running it on Windows (shame on you ;)). I *have* actually seen PHP bring down IIS with a setcookie command. Since a setcookie issues headers, I thought fine, screw you, I'll set the headers myself, and it STILL brought IIS down. And indeed, the load *did* skyrocket and require a reboot of the server. I asked around here at the time if anyone had experienced this (look through the mailing list archive to find it) and at the time got more of a congratulatory salute from the list members than any real responses :) Maybe this is more of a PHP-on-IIS issue than an actual security issue in PHP. Jason -- /-=[ BILLY S HALSEY ]=--\ | Member of Technical Staff, Sun Microsystems, Inc. ESP Solaris SW | | All opinions and technical advice offered in this message are my | | own and not necessarily endorsed by my employer. | \--=[ [EMAIL PROTECTED] ]=/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP | Windows only?
Just catching up on my emails and saw this thread. Just a note that it didn't happen under FreeBSD 4.5-R p3 PHP 4.1.2 (Apache module) 386M Ram, PIII 450 box The script died after the max_time setting, and apache's children returned back to their happy go lucky nature all by themselves... Billy S Halsey wrote: Actually, it occurs on Solaris as well. I just coded up the script, and it brought my server to its knees, though I was able to break it before it hanged hard. My configuration: * Solaris 8 108528-12 * PHP 4.1.1 as an executable (didn't try through Apache) * 512mb ram, 1 440MHx UltraSPARC IIi My php.ini specifies: * max_execution_time = 120 * memory_limit = 128M Yet, I let the script run for a while (over two minutes) and it had managed to consume 80% of my cpu time and over one gig of virtual memory (phys + swap)! It should be noted that while this is indeed a very bad thing, the following snippet of C code is just as bad, yet it's not technically a bug -- just bad programming: int main(void) { void *p; while (1) p = malloc(1024); /*NOTREACHED*/ return 0; } /bsh/ Jason Murray wrote: I'd be interested in knowing your versions and the versions of the first guy that posted about this. Maybe he has the same setup as me, or close enough, but both of us are different from you. Actually, I just thought about it - maybe you guys are both running it on Windows (shame on you ;)). I *have* actually seen PHP bring down IIS with a setcookie command. Since a setcookie issues headers, I thought fine, screw you, I'll set the headers myself, and it STILL brought IIS down. And indeed, the load *did* skyrocket and require a reboot of the server. I asked around here at the time if anyone had experienced this (look through the mailing list archive to find it) and at the time got more of a congratulatory salute from the list members than any real responses :) Maybe this is more of a PHP-on-IIS issue than an actual security issue in PHP. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
Also win2k and apache(cgi) i got an internal server error, due to the malformed header, CPU usage peaked at 100% and then dropped off. So i changed the code to the loop below and max execution time came up but CPU usage didn't drop straight off, so i had closer look, php exits after 30 seconds but the CPU usage continues in ie and apache and the page keeps loading, so i think that's down to output buffering . interestingly i had no trouble loading phpmyadmin and running a query while this was happening, it was just a little slower.. ?php $a=1; while(01) { $a++; echo $a.br; } ? So if you want to crash your server with an infinite loop there's plenty of ways to do it. g Paul Roberts [EMAIL PROTECTED] - Original Message - From: Jason Soza [EMAIL PROTECTED] To: Jason Murray [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, April 18, 2002 7:29 AM Subject: RE: [PHP] Nasty DoS in PHP Very odd indeed. Well, here's my setup: Windoze2K PHP 4.1.2 Apache 1.3.something Accessing it via IE 6.0, although this should not have any bearing on anything I'd be interested in knowing your versions and the versions of the first guy that posted about this. Maybe he has the same setup as me, or close enough, but both of us are different from you. My browser just kept loading and loading like all was well, while task manager was skipping all over the place and I had to wait 5 - 10 seconds after I moved my mouse for the cursor to move. I timed the script, and after 30 secs, it was still going (although I stopped it soon thereafter to keep from having to reboot). So I reset php.ini's execution time limit down to 5 seconds and ran it twice more, and both times it went well past 5 seconds. Of course, none of this bothers me as I won't be putting while(01) { header(A) } into any of my scripts, nor was I ever planning on it! :) -Original Message- From: Jason Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 10:13 PM To: 'Jason Soza'; [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP Mine produced the same error message as yours, Jason, but the memory and CPU usage continued until I hit the 'stop' button on the browser. It seemed to have overridden both time and memory limits, as it had racked up 320 megs of my RAM by the time I stopped it. It certainly didn't do that here, but it could be a difference between RAM, PHP and Apache versions (simple paranoia ;)) that causes it. PHP clearly sent the error *to my browser* and the browser stopped loading immediately (thus, the fatal error was indeed fatal, and PHP terminated at that time). J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
Turn on the memory-limit option On Wed, 17 Apr 2002, Dustin E. Childers wrote: Hello. I have found something interesting that can kill the server. I'm not sure if this is because of Apache or PHP. If you use PHP to send a header() inside of a while loop, the httpd process will begin to use massive CPU and Memory until it is killed, or the server is killed. Here is what I used: ? while(01) { header(A); } ? We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 4.2.0RC4. It was able to completly kill our servers (not apache, the entire server). The loads of the server will reach 50+. I have contacted apache about this and they said that it is PHP related. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
php.ini: memory_limit = 8M ; Maximum amount of memory a script may consume (8MB) That is in there, I execute the code from a browser. ps aux: nobody 60155 84.6 16.8 88644 87424 ?? R 5:15PM 0:23.23 /www/bin/httpd using 84.6% of CPU and 16.8% of Memory. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Rasmus Lerdorf [EMAIL PROTECTED] To: Dustin E. Childers [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 12:58 PM Subject: Re: [PHP] Nasty DoS in PHP Turn on the memory-limit option On Wed, 17 Apr 2002, Dustin E. Childers wrote: Hello. I have found something interesting that can kill the server. I'm not sure if this is because of Apache or PHP. If you use PHP to send a header() inside of a while loop, the httpd process will begin to use massive CPU and Memory until it is killed, or the server is killed. Here is what I used: ? while(01) { header(A); } ? We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 4.2.0RC4. It was able to completly kill our servers (not apache, the entire server). The loads of the server will reach 50+. I have contacted apache about this and they said that it is PHP related. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
I have found something interesting that can kill the server. I'm not sure if this is because of Apache or PHP. If you use PHP to send a header() inside of a while loop, the httpd process will begin to use massive CPU and Memory until it is killed, or the server is killed. Here is what I used: ? while(01) { header(A); } ? Umm, but, this is an infinite loop. It won't stop executing. Actually, it *should* stop executing once PHP hits its maximum execution time limit (usually 30 seconds). If you code something like this into pages, you've got bigger problems than a DoS attack. It's also not strictly a DoS since you'd be doing it to yourself if you ran this code. Of course, if you're silly enough to let visitors to your website upload and execute arbitrary code then there are, again, bigger problems (such as possibly comprimising root access, fetching /etc/passwd and guessing passwords, or getting access to other sensitive information on your file system). Unless there's something specifically bad about the Header() command (you didn't make it clear if this is what you were talking about), inifinite loops are, in general, bad. Jason -- Jason Murray [EMAIL PROTECTED] Web Developer, Melbourne IT Work now, freak later! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
It does not stop after its execution time. We have let this run for 10+ minutes to see if it would crash the server, and it did. It does not affect the person that loads the code in the browser, just affects the server running the code. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 4:45 PM Subject: RE: [PHP] Nasty DoS in PHP I have found something interesting that can kill the server. I'm not sure if this is because of Apache or PHP. If you use PHP to send a header() inside of a while loop, the httpd process will begin to use massive CPU and Memory until it is killed, or the server is killed. Here is what I used: ? while(01) { header(A); } ? Umm, but, this is an infinite loop. It won't stop executing. Actually, it *should* stop executing once PHP hits its maximum execution time limit (usually 30 seconds). If you code something like this into pages, you've got bigger problems than a DoS attack. It's also not strictly a DoS since you'd be doing it to yourself if you ran this code. Of course, if you're silly enough to let visitors to your website upload and execute arbitrary code then there are, again, bigger problems (such as possibly comprimising root access, fetching /etc/passwd and guessing passwords, or getting access to other sensitive information on your file system). Unless there's something specifically bad about the Header() command (you didn't make it clear if this is what you were talking about), inifinite loops are, in general, bad. Jason -- Jason Murray [EMAIL PROTECTED] Web Developer, Melbourne IT Work now, freak later! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
In article 000401c1e67b$dd64c820$2fa3f318@blackbox, [EMAIL PROTECTED] (Dustin E. Childers) wrote: It does not stop after its execution time. We have let this run for 10+ minutes to see if it would crash the server, and it did. It does not affect the person that loads the code in the browser, just affects the server running the code. You say that the script is exceeding both the memory limit and time limit; have you run phpinfo() from this script to confirm that those settings are in effect? Perhaps the wrong php.ini file is being used, or the php.ini settings are being overridden by settings in httpd.conf, .htaccess, or even the script itself... -- CC -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
It does not stop after its execution time. Is your PHP actually configured to stop running after 30 seconds, though? Its the default, but you may have overridden it. We have let this run for 10+ minutes to see if it would crash the server, and it did. Is it possible you're called set_time_limit() to increase the script's timeout and thus allow it to run? It does not affect the person that loads the code in the browser, just affects the server running the code. Well ... yeah. This is not surprising :p :) Either way, the fact still remains it's an infinite loop and you just shouldn't write it. :) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:04 PM Subject: RE: [PHP] Nasty DoS in PHP It does not stop after its execution time. Is your PHP actually configured to stop running after 30 seconds, though? Its the default, but you may have overridden it. We have let this run for 10+ minutes to see if it would crash the server, and it did. Is it possible you're called set_time_limit() to increase the script's timeout and thus allow it to run? It does not affect the person that loads the code in the browser, just affects the server running the code. Well ... yeah. This is not surprising :p :) Either way, the fact still remains it's an infinite loop and you just shouldn't write it. :) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
but to do so, they would need to be on the box, and there are a bunch of better methods in that situation. given that php's default install sets a max time limit of 30 seconds on a script timeout, it can't have run for 10+ minutes, nor is that a reasonable length of time for a DoS on a monitored box. This isn't really an exploit, just bad coding. -Original Message- From: Dustin E. Childers [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:10 AM To: Jason Murray Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:04 PM Subject: RE: [PHP] Nasty DoS in PHP It does not stop after its execution time. Is your PHP actually configured to stop running after 30 seconds, though? Its the default, but you may have overridden it. We have let this run for 10+ minutes to see if it would crash the server, and it did. Is it possible you're called set_time_limit() to increase the script's timeout and thus allow it to run? It does not affect the person that loads the code in the browser, just affects the server running the code. Well ... yeah. This is not surprising :p :) Either way, the fact still remains it's an infinite loop and you just shouldn't write it. :) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. But, if the user has enough access to the server to place files on it, then they can do much, much worse stuff than running an infinite loop in PHP. Like I said, if it gets to that point you have bigger problems. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
If the user has enough access to the server to place files on it ? There are hosting places that have PHP and you can just upload the PHP script through FTP and access it in your browser. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:14 PM Subject: RE: [PHP] Nasty DoS in PHP It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. But, if the user has enough access to the server to place files on it, then they can do much, much worse stuff than running an infinite loop in PHP. Like I said, if it gets to that point you have bigger problems. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
so why not upload a binary file and execute that ? quick root-kit later and you're in. -Original Message- From: Dustin E. Childers [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:22 AM To: Jason Murray Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP If the user has enough access to the server to place files on it ? There are hosting places that have PHP and you can just upload the PHP script through FTP and access it in your browser. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:14 PM Subject: RE: [PHP] Nasty DoS in PHP It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. But, if the user has enough access to the server to place files on it, then they can do much, much worse stuff than running an infinite loop in PHP. Like I said, if it gets to that point you have bigger problems. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
If the user has enough access to the server to place files on it ? There are hosting places that have PHP and you can just upload the PHP script through FTP and access it in your browser. ... in which case all you'll accomplish is taking out your own server, which is not a DoS attack. :) (This is also why its very hard to find free servers with PHP on them) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
You can't upload a binary file to a server and access it through a web browser. The most it will do is either show the 'source' for file or ask you to download it. Yes, this is probably not a major DoS attack..and there aren't many free hosts out there that have PHP support. The most you could probably do is take out your own server, but you never know what script kiddies are willing to do in order to take down a server. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: James Cox [EMAIL PROTECTED] To: Dustin E. Childers [EMAIL PROTECTED]; Jason Murray [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:28 PM Subject: RE: [PHP] Nasty DoS in PHP so why not upload a binary file and execute that ? quick root-kit later and you're in. -Original Message- From: Dustin E. Childers [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:22 AM To: Jason Murray Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP If the user has enough access to the server to place files on it ? There are hosting places that have PHP and you can just upload the PHP script through FTP and access it in your browser. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:14 PM Subject: RE: [PHP] Nasty DoS in PHP It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. But, if the user has enough access to the server to place files on it, then they can do much, much worse stuff than running an infinite loop in PHP. Like I said, if it gets to that point you have bigger problems. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
Well, if you were able to upload a PHP script, you'd also be able to upload a binary file, which would have the ability to run exec(yourbinary); ... -Original Message- From: Dustin E. Childers [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:41 AM To: James Cox Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP You can't upload a binary file to a server and access it through a web browser. The most it will do is either show the 'source' for file or ask you to download it. Yes, this is probably not a major DoS attack..and there aren't many free hosts out there that have PHP support. The most you could probably do is take out your own server, but you never know what script kiddies are willing to do in order to take down a server. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: James Cox [EMAIL PROTECTED] To: Dustin E. Childers [EMAIL PROTECTED]; Jason Murray [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:28 PM Subject: RE: [PHP] Nasty DoS in PHP so why not upload a binary file and execute that ? quick root-kit later and you're in. -Original Message- From: Dustin E. Childers [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:22 AM To: Jason Murray Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP If the user has enough access to the server to place files on it ? There are hosting places that have PHP and you can just upload the PHP script through FTP and access it in your browser. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Dustin E. Childers' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 5:14 PM Subject: RE: [PHP] Nasty DoS in PHP It's a default PHP installation. We aren't calling set_time_limit(). I know its an infinite loop, the point is that if a user wanted to attack a server (happens every day) they would be able to use this method to take the server down. But, if the user has enough access to the server to place files on it, then they can do much, much worse stuff than running an infinite loop in PHP. Like I said, if it gets to that point you have bigger problems. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
Guys: This is a rather meaningless thread. It is a security issue that is displaced. Anybody can take down his own machine with a couple of lines of code. It is not the (entire) responsibility of the language to protect the machine from resource exhaustion or whatever. In security, you have the concept of the trusted user, and the users on my machine I trust. If you are running a public server, you just don't let any code go on to the machine if it is not from a trusted user. The only alternative is for the server owner to inspect the code in order to trust the code, if he does not trust the user. If a server owner lets script kiddies on the server, it is a security issue, not a PHP issue. If the originator of this thread thinks this is a weakness in PHP with the posted code, he is mistaken. _justin -- Justin Farnsworth Eye Integrated Communications 321 South Evans - Suite 203 Greenville, NC 27858 | Tel: (252) 353-0722 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
In article p05100304b8e3cee5ab0c@[210.49.237.250], [EMAIL PROTECTED] (Richard Archer) wrote: At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote: This is a rather meaningless thread. It is a security issue that is displaced. If PHP is not honoring the time limit and memory usage directives when outputting headers, then this is a bug in PHP. A big if, since the OP has not yet verified that the time limit and memory limit are in effect at the outset of the loop as supposed. Someone else want to test for this scenario? Someone, that is, who can deliberately bring down their server without getting kicked off permanently? Meanwhile... If this allows a DoS attack, then this is a very real security problem. Why should it? Even if there is a verifiable bug allowing time/memory limits to be exceeded when header() goes into an infinite loop, how could someone exploit this from the outside? If a scripter is letting any random web visitor put their script into an infinite loop, then the results are at *least* as much the scripter's fault as PHP's. Ditto for the scripter who sets the infinite loop himself while allowing the web user to specify what function gets executed in the loop. And if neither of these is happening, then where's the DoS? As has already been pointed out, someone bringing down their own server with their own code, isn't a DoS. It's usually poor coding, and _possibly_ (see above) attributable to a bug, but it's not a DoS. As far as I can tell, the only security problem here is the usual one: figuring out who is clueful enough and responsible enough to be trusted with access to operations which can compromise the server. Whether there is a bug or not remains an open question. I'll be curious to hear whether anyone is able to reproduce a server crash in spite of set_time_limit(30) and ini_set(memory_limit,8M) conditions. -- CC -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
[snip] If this allows a DoS attack, then this is a very real security problem. Why should it? Even if there is a verifiable bug allowing time/memory limits to be exceeded when header() goes into an infinite loop, how could someone exploit this from the outside? If a scripter is letting any random web visitor put their script into an infinite loop, then the results are at *least* as much the scripter's fault as PHP's. [snip] As far as I can tell, the only security problem here is the usual one: figuring out who is clueful enough and responsible enough to be trusted with access to operations which can compromise the server. A coder could do a lot more damage to a server, than a DoS, if they had access the PHP. Oh! The fun I would have if I was malicious (but I'm not BTW). There's more at stake than a simple DoS if someone can upload a PHP script to a server. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
For what it's worth, I just ran this script on my server, and despite the 30 second time limit and 8mb memory limit in php.ini, the script ran longer than 30 secs, CPU usage went between 60% and 100% and my memory usage reached 352000 before I stopped it. As far as a DoS, I don't think so. A bug? Possibly. Bad coding? Yep. :) Jason Soza - Original Message - From: CC Zona [EMAIL PROTECTED] Date: Wednesday, April 17, 2002 6:21 pm Subject: Re: [PHP] Nasty DoS in PHP In article p05100304b8e3cee5ab0c@[210.49.237.250], [EMAIL PROTECTED] (Richard Archer) wrote: At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote: This is a rather meaningless thread. It is a security issue that is displaced. If PHP is not honoring the time limit and memory usage directives when outputting headers, then this is a bug in PHP. A big if, since the OP has not yet verified that the time limit and memory limit are in effect at the outset of the loop as supposed. Someone else want to test for this scenario? Someone, that is, who can deliberately bring down their server without getting kicked off permanently? Meanwhile... If this allows a DoS attack, then this is a very real security problem. Why should it? Even if there is a verifiable bug allowing time/memory limits to be exceeded when header() goes into an infinite loop, how could someone exploit this from the outside? If a scripter is letting any random web visitor put their script into an infinite loop, then the results are at *least* as much the scripter's fault as PHP's. Ditto for the scripter who sets the infinite loop himself while allowing the web user to specify what function gets executed in the loop. And if neither of these is happening, then where's the DoS? As has already been pointed out, someone bringing down their own server with their own code, isn't a DoS. It's usually poor coding, and _possibly_ (see above) attributable to a bug, but it's not a DoS. As far as I can tell, the only security problem here is the usual one: figuring out who is clueful enough and responsible enough to be trusted with access to operations which can compromise the server. Whether there is a bug or not remains an open question. I'll be curious to hear whether anyone is able to reproduce a server crash in spite of set_time_limit(30) and ini_set(memory_limit,8M) conditions. -- CC -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
Is that memory usage used by PHP or apache? -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 12:35 PM To: CC Zona Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP For what it's worth, I just ran this script on my server, and despite the 30 second time limit and 8mb memory limit in php.ini, the script ran longer than 30 secs, CPU usage went between 60% and 100% and my memory usage reached 352000 before I stopped it. As far as a DoS, I don't think so. A bug? Possibly. Bad coding? Yep. :) Jason Soza - Original Message - From: CC Zona [EMAIL PROTECTED] Date: Wednesday, April 17, 2002 6:21 pm Subject: Re: [PHP] Nasty DoS in PHP In article p05100304b8e3cee5ab0c@[210.49.237.250], [EMAIL PROTECTED] (Richard Archer) wrote: At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote: This is a rather meaningless thread. It is a security issue that is displaced. If PHP is not honoring the time limit and memory usage directives when outputting headers, then this is a bug in PHP. A big if, since the OP has not yet verified that the time limit and memory limit are in effect at the outset of the loop as supposed. Someone else want to test for this scenario? Someone, that is, who can deliberately bring down their server without getting kicked off permanently? Meanwhile... If this allows a DoS attack, then this is a very real security problem. Why should it? Even if there is a verifiable bug allowing time/memory limits to be exceeded when header() goes into an infinite loop, how could someone exploit this from the outside? If a scripter is letting any random web visitor put their script into an infinite loop, then the results are at *least* as much the scripter's fault as PHP's. Ditto for the scripter who sets the infinite loop himself while allowing the web user to specify what function gets executed in the loop. And if neither of these is happening, then where's the DoS? As has already been pointed out, someone bringing down their own server with their own code, isn't a DoS. It's usually poor coding, and _possibly_ (see above) attributable to a bug, but it's not a DoS. As far as I can tell, the only security problem here is the usual one: figuring out who is clueful enough and responsible enough to be trusted with access to operations which can compromise the server. Whether there is a bug or not remains an open question. I'll be curious to hear whether anyone is able to reproduce a server crash in spite of set_time_limit(30) and ini_set(memory_limit,8M) conditions. -- CC -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
It shows the memory and CPU time being used by apache. I have PHP installed as a module, that may be why. (?) Jason Soza - Original Message - From: Martin Towell [EMAIL PROTECTED] Date: Wednesday, April 17, 2002 6:37 pm Subject: RE: [PHP] Nasty DoS in PHP Is that memory usage used by PHP or apache? -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 12:35 PM To: CC Zona Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP For what it's worth, I just ran this script on my server, and despite the 30 second time limit and 8mb memory limit in php.ini, the script ran longer than 30 secs, CPU usage went between 60% and 100% and my memory usage reached 352000 before I stopped it. As far as a DoS, I don't think so. A bug? Possibly. Bad coding? Yep. :) Jason Soza -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
Do you have a PHP binary compiled too? If Apache can be taken out of the equation and the script still exceed memory/time limits, that would sure appear to be a PHP bug. (FWIW, I can't find an existing bug report about this behavior at bugs.php.net. Perhaps you and the OP could run backtraces and open a new bug report?) In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Jason Soza) wrote: It shows the memory and CPU time being used by apache. I have PHP installed as a module, that may be why. (?) Jason Soza - Original Message - From: Martin Towell [EMAIL PROTECTED] Date: Wednesday, April 17, 2002 6:37 pm Subject: RE: [PHP] Nasty DoS in PHP Is that memory usage used by PHP or apache? -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 12:35 PM To: CC Zona Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP For what it's worth, I just ran this script on my server, and despite the 30 second time limit and 8mb memory limit in php.ini, the script ran longer than 30 secs, CPU usage went between 60% and 100% and my memory usage reached 352000 before I stopped it. -- CC -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
I crashed a server yesterday from PHP code that was trying to create an image with GD. The same scenerio happened in that my entire box froze. No keyboard control, no mouse, no CTRL-ALT-F2, nothing. This was also due to a header() in an infinite loop. From my perspective I thought that was bad code, so I fixed it. I don't see this as a security risk. Allowing someone to execute code on your server is a security risk. Writing bad code is writing bad code. It would be interesting to see how linux handled the load. I might test again and see if other services will still accept remote connections (maybe ssh or something). But regardless, it is a good idea not to write bad code, and to test on a development server just in case. -Jaxn http://www.jaxn.org On Wed, 2002-04-17 at 20:25, Dustin E. Childers wrote: Hello. I have found something interesting that can kill the server. I'm not sure if this is because of Apache or PHP. If you use PHP to send a header() inside of a while loop, the httpd process will begin to use massive CPU and Memory until it is killed, or the server is killed. Here is what I used: ? while(01) { header(A); } ? We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 4.2.0RC4. It was able to completly kill our servers (not apache, the entire server). The loads of the server will reach 50+. I have contacted apache about this and they said that it is PHP related. Dustin E. Childers Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
Interesting, check out my apache error log: [Wed Apr 17 18:35:53 2002] [error] PHP Fatal error: Maximum execution time of 30 seconds exceeded in d:\html\loop.asp on line 7 So PHP recognized the max execution time of 30 seconds being exceeded, but neither it nor apache shut down the script. Jason -Original Message- From: CC Zona [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 7:04 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP Do you have a PHP binary compiled too? If Apache can be taken out of the equation and the script still exceed memory/time limits, that would sure appear to be a PHP bug. (FWIW, I can't find an existing bug report about this behavior at bugs.php.net. Perhaps you and the OP could run backtraces and open a new bug report?) In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Jason Soza) wrote: It shows the memory and CPU time being used by apache. I have PHP installed as a module, that may be why. (?) Jason Soza - Original Message - From: Martin Towell [EMAIL PROTECTED] Date: Wednesday, April 17, 2002 6:37 pm Subject: RE: [PHP] Nasty DoS in PHP Is that memory usage used by PHP or apache? -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 12:35 PM To: CC Zona Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP For what it's worth, I just ran this script on my server, and despite the 30 second time limit and 8mb memory limit in php.ini, the script ran longer than 30 secs, CPU usage went between 60% and 100% and my memory usage reached 352000 before I stopped it. -- CC -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
A big if, since the OP has not yet verified that the time limit and memory limit are in effect at the outset of the loop as supposed. Someone else want to test for this scenario? Someone, that is, who can deliberately bring down their server without getting kicked off permanently? Done. Result: Fatal error: Maximum execution time of 30 seconds exceeded in /usr/local/apache/virtual/misc/random.phpdev.mit/htdocs/index.php on line 3 Server: Apache/1.3.12 (Unix) PHP/4.0.6 I think that kind of closes this case... Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP
In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Jason Soza) wrote: Interesting, check out my apache error log: [Wed Apr 17 18:35:53 2002] [error] PHP Fatal error: Maximum execution time of 30 seconds exceeded in d:\html\loop.asp on line 7 LOL. You use *.asp for your PHP scripts? Wouldn't that be considered blaspemous? g So PHP recognized the max execution time of 30 seconds being exceeded, but neither it nor apache shut down the script. So that was both as an Apache mod and a CGI binary? Sounds like it's reproducible. Open a bug report so the developers can track it down http://bugs.php.net/report.php. Even though putting header() into an infinite loop sounds like something not to do in general, a bug is still a bug even if it's a pretty esoteric one. -- CC -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
So that was both as an Apache mod and a CGI binary? Sounds like it's reproducible. Running as an Apache module here, it terminated as expected at 30 seconds. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP
Mine produced the same error message as yours, Jason, but the memory and CPU usage continued until I hit the 'stop' button on the browser. It seemed to have overridden both time and memory limits, as it had racked up 320 megs of my RAM by the time I stopped it. Jason -Original Message- From: Jason Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 9:57 PM To: 'CC Zona'; [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP So that was both as an Apache mod and a CGI binary? Sounds like it's reproducible. Running as an Apache module here, it terminated as expected at 30 seconds. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php