Mine produced the same error message as yours, Jason, but the memory
and CPU usage continued until I hit the 'stop' button on the browser.
It seemed to have overridden both time and memory limits, as it had
racked up 320 megs of my RAM by the time I stopped it.
It certainly didn't do that
scripts, nor was I ever planning on it! :)
-Original Message-
From: Jason Murray [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 10:13 PM
To: 'Jason Soza'; [EMAIL PROTECTED]
Subject: RE: [PHP] Nasty DoS in PHP
Mine produced the same error message as yours, Jason
I'd be interested in knowing your versions and the versions
of the first guy that posted about this. Maybe he has the same
setup as me, or close enough, but both of us are different
from you.
Actually, I just thought about it - maybe you guys are both running
it on Windows (shame on you
- Original Message -
From: Jason Murray [EMAIL PROTECTED]
To: 'Jason Soza' [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, April 17, 2002 11:36 PM
Subject: RE: [PHP] Nasty DoS in PHP | Windows only?
I'd be interested in knowing your versions and the versions
of the first guy
I know what you are saying. I've taken down apache on win32
with setcookie
[snip]
I'm pretty sure they ran PHP on apache, not IIS. Maybe this
problem is only with the win32 version of the PHP module.
Yep, apparently I can't read. Apache, IIS, same header() probs.
Nonetheless, a bug is
Message-
From: Jason Soza [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 12:10 AM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Nasty DoS in PHP
Mine produced the same error message as yours, Jason, but the memory and CPU
usage continued until I hit the 'stop' button on the browser
-Original Message-
From: Jason Murray [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 9:57 PM
To: 'CC Zona'; [EMAIL PROTECTED]
Subject: RE: [PHP] Nasty DoS in PHP
So that was both as an Apache mod and a CGI binary? Sounds like it's
reproducible.
Running as an Apache
Actually, it occurs on Solaris as well. I just coded up the script, and
it brought my server to its knees, though I was able to break it before
it hanged hard.
My configuration:
* Solaris 8 108528-12
* PHP 4.1.1 as an executable (didn't try through Apache)
* 512mb ram, 1 @ 440MHx
Just catching up on my emails and saw this thread.
Just a note that it didn't happen under
FreeBSD 4.5-R p3
PHP 4.1.2 (Apache module)
386M Ram, PIII 450 box
The script died after the max_time setting, and apache's children
returned back to their happy go lucky nature all by themselves...
, April 18, 2002 7:29 AM
Subject: RE: [PHP] Nasty DoS in PHP
Very odd indeed. Well, here's my setup:
Windoze2K
PHP 4.1.2
Apache 1.3.something
Accessing it via IE 6.0, although this should not have any bearing on
anything
I'd be interested in knowing your versions and the versions
Turn on the memory-limit option
On Wed, 17 Apr 2002, Dustin E. Childers wrote:
Hello.
I have found something interesting that can kill the server. I'm not sure if this is
because of Apache or PHP. If you use PHP to send a header() inside of a while loop,
the httpd process will begin to use
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/
- Original Message -
From: Rasmus Lerdorf [EMAIL PROTECTED]
To: Dustin E. Childers [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, April 17, 2002 12:58 PM
Subject: Re: [PHP] Nasty DoS in PHP
Turn
I have found something interesting that can kill the server.
I'm not sure if this is because of Apache or PHP. If you use
PHP to send a header() inside of a while loop, the httpd
process will begin to use massive CPU and Memory until it is
killed, or the server is killed. Here is what I
Security, Inc.
http://www.digitux.net/
- Original Message -
From: Jason Murray [EMAIL PROTECTED]
To: 'Dustin E. Childers' [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, April 17, 2002 4:45 PM
Subject: RE: [PHP] Nasty DoS in PHP
I have found something interesting that can kill
In article 000401c1e67b$dd64c820$2fa3f318@blackbox,
[EMAIL PROTECTED] (Dustin E. Childers) wrote:
It does not stop after its execution time. We have let this run for 10+
minutes to see if it would crash the server, and it did. It does not affect
the person that loads the code in the browser,
It does not stop after its execution time.
Is your PHP actually configured to stop running after 30 seconds,
though? Its the default, but you may have overridden it.
We have let this run for 10+ minutes to see if it would crash the
server, and it did.
Is it possible you're called
Security, Inc.
http://www.digitux.net/
- Original Message -
From: Jason Murray [EMAIL PROTECTED]
To: 'Dustin E. Childers' [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, April 17, 2002 5:04 PM
Subject: RE: [PHP] Nasty DoS in PHP
It does not stop after its execution time.
Is your
box.
This isn't really an exploit, just bad coding.
-Original Message-
From: Dustin E. Childers [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 3:10 AM
To: Jason Murray
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP
It's a default PHP installation. We aren't
It's a default PHP installation. We aren't calling set_time_limit().
I know its an infinite loop, the point is that if a user wanted to
attack a server (happens every day) they would be able to use this
method to take the server down.
But, if the user has enough access to the server to
/
- Original Message -
From: Jason Murray [EMAIL PROTECTED]
To: 'Dustin E. Childers' [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, April 17, 2002 5:14 PM
Subject: RE: [PHP] Nasty DoS in PHP
It's a default PHP installation. We aren't calling set_time_limit().
I know its an infinite loop
so why not upload a binary file and execute that ? quick root-kit later and
you're in.
-Original Message-
From: Dustin E. Childers [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 3:22 AM
To: Jason Murray
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP
If the user
If the user has enough access to the server to place files on it ?
There are hosting places that have PHP and you can just upload the PHP
script through FTP and access it in your browser.
... in which case all you'll accomplish is taking out your own server,
which is not a DoS attack. :)
. Childers [EMAIL PROTECTED]; Jason Murray
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, April 17, 2002 5:28 PM
Subject: RE: [PHP] Nasty DoS in PHP
so why not upload a binary file and execute that ? quick root-kit later
and
you're in.
-Original Message-
From: Dustin E
PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP
You can't upload a binary file to a server and access it through a web
browser. The most it will do is either show the 'source' for file or ask you
to download it. Yes, this is probably not a major DoS attack..and there
aren't many free hosts out
Guys:
This is a rather meaningless thread. It is a
security issue that is displaced.
Anybody can take down his own machine with a couple of
lines of code. It is not the (entire) responsibility of the
language to protect the machine from resource exhaustion
or whatever.
In security, you have
In article p05100304b8e3cee5ab0c@[210.49.237.250],
[EMAIL PROTECTED] (Richard Archer) wrote:
At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote:
This is a rather meaningless thread. It is a
security issue that is displaced.
If PHP is not honoring the time limit and memory usage
[snip]
If this allows a DoS attack, then this is a very real security problem.
Why should it? Even if there is a verifiable bug allowing time/memory
limits to be exceeded when header() goes into an infinite loop, how could
someone exploit this from the outside? If a scripter is
. A bug? Possibly. Bad coding? Yep. :)
Jason Soza
- Original Message -
From: CC Zona [EMAIL PROTECTED]
Date: Wednesday, April 17, 2002 6:21 pm
Subject: Re: [PHP] Nasty DoS in PHP
In article p05100304b8e3cee5ab0c@[210.49.237.250],
[EMAIL PROTECTED] (Richard Archer) wrote:
At 8:55 PM
Is that memory usage used by PHP or apache?
-Original Message-
From: Jason Soza [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 12:35 PM
To: CC Zona
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP
For what it's worth, I just ran this script on my server
It shows the memory and CPU time being used by apache. I have PHP
installed as a module, that may be why. (?)
Jason Soza
- Original Message -
From: Martin Towell [EMAIL PROTECTED]
Date: Wednesday, April 17, 2002 6:37 pm
Subject: RE: [PHP] Nasty DoS in PHP
Is that memory usage used
]
Date: Wednesday, April 17, 2002 6:37 pm
Subject: RE: [PHP] Nasty DoS in PHP
Is that memory usage used by PHP or apache?
-Original Message-
From: Jason Soza [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 12:35 PM
To: CC Zona
Cc: [EMAIL PROTECTED]
Subject
I crashed a server yesterday from PHP code that was trying to create an
image with GD. The same scenerio happened in that my entire box froze.
No keyboard control, no mouse, no CTRL-ALT-F2, nothing.
This was also due to a header() in an infinite loop. From my
perspective I thought that was
.
Jason
-Original Message-
From: CC Zona [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 7:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP
Do you have a PHP binary compiled too? If Apache can be taken out of the
equation and the script still exceed memory/time
A big if, since the OP has not yet verified that the time limit and
memory limit are in effect at the outset of the loop as supposed.
Someone else want to test for this scenario? Someone, that is, who
can deliberately bring down their server without getting kicked
off permanently?
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Jason Soza) wrote:
Interesting, check out my apache error log:
[Wed Apr 17 18:35:53 2002] [error] PHP Fatal error: Maximum execution time
of 30 seconds exceeded in d:\html\loop.asp on line 7
LOL. You use *.asp for your PHP scripts?
So that was both as an Apache mod and a CGI binary? Sounds like it's
reproducible.
Running as an Apache module here, it terminated as expected at 30 seconds.
Jason
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
-
From: Jason Murray [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 9:57 PM
To: 'CC Zona'; [EMAIL PROTECTED]
Subject: RE: [PHP] Nasty DoS in PHP
So that was both as an Apache mod and a CGI binary? Sounds like it's
reproducible.
Running as an Apache module here, it terminated
37 matches
Mail list logo
