Re: [PHP] [security] PHP has DoS vuln with large decimal points

2011-01-25 Thread Pierre Joye
hi,

On Mon, Jan 17, 2011 at 5:21 AM, Tommy Pham  wrote:

> Thanks Dan.  I'll keep it in mind for the future.  For interested parties,
> that's found in the official Windows 5.3.3 NTS VC9 build.  Works fine with
> the current official 5.3.5 NTS VC9.

5.3.5 was released only to fix this exact bug :-)

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] [security] PHP has DoS vuln with large decimal points

2011-01-16 Thread Tommy Pham
> -Original Message-
> From: paras...@gmail.com [mailto:paras...@gmail.com] On Behalf Of
> Daniel Brown
> Sent: Sunday, January 16, 2011 7:00 PM
> To: Tommy Pham
> Cc: PHP General; PHP Internals List; secur...@php.net
> Subject: Re: [PHP] [security] PHP has DoS vuln with large decimal points
> 
> On Sun, Jan 16, 2011 at 21:00, Tommy Pham  wrote:
> >
> > Here are the results after some further tests for the same platform:
> >
> > * max float value: 1.7976931348623E+308
> > * min float value:  9.8813129168249E-324  <<
> > floatval('1.00e-323') weird ...
> >
> > PHP wil hang when the value is between (inclusive)
> >
> > floatval('2.22507385850720102e-308')  -
> > floatval('2.22507385850720113e-308')
> >
> > I can't find the bug report for the issue @ bugs.php.net.  Does anyone
> > know if one is submitted?  I should submit one?  Sucribe to dev list
> > and go from there?
> 
> If in doubt, file a bug.  Worse comes to worst, it will be marked as
bogus or
> a duplicate.  For security-related things, send them to secur...@php.net,
> not to the General list.  Again, if it's of no concern, it will simply be
ignored
> as bogus or already known.
> 
> --
> 
> Network Infrastructure Manager
> Documentation, Webmaster Teams
> http://www.php.net/

Thanks Dan.  I'll keep it in mind for the future.  For interested parties,
that's found in the official Windows 5.3.3 NTS VC9 build.  Works fine with
the current official 5.3.5 NTS VC9.

Thanks,
Tommy


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] Re: [PHP-DEV] Re: [PHP] [security] PHP has DoS vuln with large decimal points

2011-01-16 Thread Mike Robinson
On 2011-01-16, at 9:59 PM, Daniel Brown  wrote:

> On Sun, Jan 16, 2011 at 21:00, Tommy Pham  wrote:
>> 
>> Here are the results after some further tests for the same platform:
>> 
>> * max float value: 1.7976931348623E+308
>> * min float value:  9.8813129168249E-324  <<
>> floatval('1.00e-323') weird ...
>> 
>> PHP wil hang when the value is between (inclusive)
>> 
>> floatval('2.22507385850720102e-308')  -
>> floatval('2.22507385850720113e-308')
>> 
>> I can't find the bug report for the issue @ bugs.php.net.  Does anyone know
>> if one is submitted?  I should submit one?  Sucribe to dev list and go from
>> there?
> 
>If in doubt, file a bug.  Worse comes to worst, it will be marked
> as bogus or a duplicate.  For security-related things, send them to
> secur...@php.net, not to the General list.  Again, if it's of no
> concern, it will simply be ignored as bogus or already known

Is this not it?

http://bugs.php.net/53632

Best Regards

Mike Robinson
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] [security] PHP has DoS vuln with large decimal points

2011-01-16 Thread Tommy Pham
> -Original Message-
> From: Jim Lucas [mailto:li...@cmsws.com]
> Sent: Sunday, January 16, 2011 6:54 PM
> To: Tommy Pham
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] [security] PHP has DoS vuln with large decimal points
> 
> On 1/16/2011 4:18 PM, Tommy Pham wrote:
> >> -Original Message-
> >> From: Tommy Pham [mailto:tommy...@gmail.com]
> >> Sent: Thursday, January 06, 2011 5:49 PM
> >> To: 'Daevid Vincent'
> >> Cc: 'php-general@lists.php.net'
> >> Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal
> >> points
> >>
> >>> -Original Message-
> >>> From: Daevid Vincent [mailto:dae...@daevid.com]
> >>> Sent: Wednesday, January 05, 2011 11:36 AM
> >>> To: php-general@lists.php.net
> >>> Subject: [PHP] [security] PHP has DoS vuln with large decimal points
> >>>
> >>> The error in the way floating-point and double-precision numbers are
> >>> handled sends 32-bit systems running Linux, Windows, and FreeBSD
> >>> into an infinite loop that consumes 100 percent of their CPU's
resources.
> >>> Developers are still investigating, but they say the bug appears to
> >>> affect versions 5.2 and 5.3 of PHP. They say it could be trivially
> >>> exploited on many websites to cause them to crash by adding long
> >> numbers to certain URLs.
> >>>
> >>> 
> >>>
> >>> The crash is also triggered when the number is expressed without
> >>> scientific notation, with 324 decimal places.
> >>>
> >>> Read on...
> >>>
> >>> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/
> >>>
> >>> --
> >>> Daevid Vincent
> >>> http://daevid.com
> >>>
> >>> There are only 11 types of people in this world. Those that think
> >>> binary jokes are funny, those that don't, and those that don't know
> > binary.
> >>>
> >>
> >> "The size of a float is platform-dependent, although a maximum of
> >> ~1.8e308 with a precision of roughly 14 decimal digits is a common
> >> value (the 64
> > bit
> >> IEEE format)."  From [1].  The example given is clearly over the
> >> limit
> > within
> >> the PHP core.
> >>
> >> This sounds like what I was mentioning before, in a different thread,
> > about
> >> URL hacking to induce buffer overflow.
> >>
> >> Regards,
> >> Tommy
> >>
> >> [1] http://www.php.net/manual/en/language.types.float.php
> >
> > I found something really weird while coding a validator for floating
> > protection protection.
> >
> > Case 1 - known DoS / PHP hangs in infinite loop:
> >
> >   $value = '2.2250738585072011e-308';
> >   var_dump(floatval($value));
> >
> > Case 2 - works fine:
> >
> >   $value = '2.2250738585072011e-307';
> > or
> >   $value = '2.2250738585072011e-309';
> > or
> >   $value = '2.225073858507201e-308';
> >
> >   var_dump(floatval($value));
> >
> > I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with
> PHP
> > FastCGI.  I haven't test it on *nix platform yet.   Could someone please
> > confirm this?
> >
> > Thanks,
> > Tommy
> >
> >
> 
> Seems to work fine for me.
> 
> $ cat float.php
>  
> echo "Example 1\n";
> $value = 2.2250738585072011e-307;
> var_dump(floatval($value));
> var_dump($value);
> 
> echo "Example 2\n";
> $value = 2.2250738585072011e-308;
> var_dump(floatval($value));
> var_dump($value);
> 
> echo "Example 3\n";
> $value = 2.2250738585072011e-309;
> var_dump(floatval($value));
> var_dump($value);
> 
> echo "Example 4\n";
> $value = 2.225073858507201e-308;
> var_dump(floatval($value));
> var_dump($value);
> 
> ?>
> $ php -f float.php
> Example 1
> float(2.2250738585072E-307)
> float(2.2250738585072E-307)
> Example 2
> float(2.2250738585072E-308)
> float(2.2250738585072E-308)
> Example 3
> float(2.2250738585072E-309)
> float(2.2250738585072E-309)
> Example 4
> float(2.2250738585072E-308)
> float(2.2250738585072E-308)
> 
> $ uname -a
> OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386 $ php -v PHP 5.2.5 with
> Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50) Copyright (c)
1997-
> 2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend
> Technologies
> with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project
> 
> No infinite loop.  I like my system... :)
> 
> Jim Lucas

Hi Jim,

Thanks for the confirmation.  It appears that the bug is with the official
binary Windows distribution PHP 5.3.3 NTS and most likely with 5.3.3.  I
just upgrade to NTS 5.3.5 and works fine now.  It also runs fine against
unofficial PHP 5.2.5 x64 Windows ISAPI.

Thanks,
Tommy




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] [security] PHP has DoS vuln with large decimal points

2011-01-16 Thread Daniel Brown
On Sun, Jan 16, 2011 at 21:00, Tommy Pham  wrote:
>
> Here are the results after some further tests for the same platform:
>
> * max float value: 1.7976931348623E+308
> * min float value:  9.8813129168249E-324  <<
> floatval('1.00e-323') weird ...
>
> PHP wil hang when the value is between (inclusive)
>
> floatval('2.22507385850720102e-308')  -
> floatval('2.22507385850720113e-308')
>
> I can't find the bug report for the issue @ bugs.php.net.  Does anyone know
> if one is submitted?  I should submit one?  Sucribe to dev list and go from
> there?

If in doubt, file a bug.  Worse comes to worst, it will be marked
as bogus or a duplicate.  For security-related things, send them to
secur...@php.net, not to the General list.  Again, if it's of no
concern, it will simply be ignored as bogus or already known.

-- 

Network Infrastructure Manager
Documentation, Webmaster Teams
http://www.php.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] [security] PHP has DoS vuln with large decimal points

2011-01-16 Thread Jim Lucas
On 1/16/2011 4:18 PM, Tommy Pham wrote:
>> -Original Message-
>> From: Tommy Pham [mailto:tommy...@gmail.com]
>> Sent: Thursday, January 06, 2011 5:49 PM
>> To: 'Daevid Vincent'
>> Cc: 'php-general@lists.php.net'
>> Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points
>>
>>> -Original Message-
>>> From: Daevid Vincent [mailto:dae...@daevid.com]
>>> Sent: Wednesday, January 05, 2011 11:36 AM
>>> To: php-general@lists.php.net
>>> Subject: [PHP] [security] PHP has DoS vuln with large decimal points
>>>
>>> The error in the way floating-point and double-precision numbers are
>>> handled sends 32-bit systems running Linux, Windows, and FreeBSD into
>>> an infinite loop that consumes 100 percent of their CPU's resources.
>>> Developers are still investigating, but they say the bug appears to
>>> affect versions 5.2 and 5.3 of PHP. They say it could be trivially
>>> exploited on many websites to cause them to crash by adding long
>> numbers to certain URLs.
>>>
>>> 
>>>
>>> The crash is also triggered when the number is expressed without
>>> scientific notation, with 324 decimal places.
>>>
>>> Read on...
>>>
>>> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/
>>>
>>> --
>>> Daevid Vincent
>>> http://daevid.com
>>>
>>> There are only 11 types of people in this world. Those that think
>>> binary jokes are funny, those that don't, and those that don't know
> binary.
>>>
>>
>> "The size of a float is platform-dependent, although a maximum of ~1.8e308
>> with a precision of roughly 14 decimal digits is a common value (the 64
> bit
>> IEEE format)."  From [1].  The example given is clearly over the limit
> within
>> the PHP core.
>>
>> This sounds like what I was mentioning before, in a different thread,
> about
>> URL hacking to induce buffer overflow.
>>
>> Regards,
>> Tommy
>>
>> [1] http://www.php.net/manual/en/language.types.float.php
> 
> I found something really weird while coding a validator for floating
> protection protection.
> 
> Case 1 - known DoS / PHP hangs in infinite loop:
> 
>   $value = '2.2250738585072011e-308';
>   var_dump(floatval($value));
> 
> Case 2 - works fine:
> 
>   $value = '2.2250738585072011e-307';
> or
>   $value = '2.2250738585072011e-309';
> or
>   $value = '2.225073858507201e-308';
> 
>   var_dump(floatval($value));
> 
> I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP
> FastCGI.  I haven't test it on *nix platform yet.   Could someone please
> confirm this?
> 
> Thanks,
> Tommy
> 
> 

Seems to work fine for me.

$ cat float.php

$ php -f float.php
Example 1
float(2.2250738585072E-307)
float(2.2250738585072E-307)
Example 2
float(2.2250738585072E-308)
float(2.2250738585072E-308)
Example 3
float(2.2250738585072E-309)
float(2.2250738585072E-309)
Example 4
float(2.2250738585072E-308)
float(2.2250738585072E-308)

$ uname -a
OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386
$ php -v
PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project

No infinite loop.  I like my system... :)

Jim Lucas

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] [security] PHP has DoS vuln with large decimal points

2011-01-16 Thread Tommy Pham
> -Original Message-
> From: Tommy Pham [mailto:tommy...@gmail.com]
> Sent: Sunday, January 16, 2011 4:18 PM
> To: 'php-general@lists.php.net'
> Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points
> 



> 
> I found something really weird while coding a validator for floating
> protection protection.
> 
> Case 1 - known DoS / PHP hangs in infinite loop:
> 
>   $value = '2.2250738585072011e-308';
>   var_dump(floatval($value));
> 
> Case 2 - works fine:
> 
>   $value = '2.2250738585072011e-307';
> or
>   $value = '2.2250738585072011e-309';
> or
>   $value = '2.225073858507201e-308';
> 
>   var_dump(floatval($value));
> 
> I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with
> PHP FastCGI.  I haven't test it on *nix platform yet.   Could someone
please
> confirm this?
> 
> Thanks,
> Tommy

Here are the results after some further tests for the same platform:

* max float value: 1.7976931348623E+308
* min float value:  9.8813129168249E-324  <<
floatval('1.00e-323') weird ...

PHP wil hang when the value is between (inclusive)

floatval('2.22507385850720102e-308')  -
floatval('2.22507385850720113e-308')

I can't find the bug report for the issue @ bugs.php.net.  Does anyone know
if one is submitted?  I should submit one?  Sucribe to dev list and go from
there?

Thanks,
Tommy



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] [security] PHP has DoS vuln with large decimal points

2011-01-16 Thread Tommy Pham
> -Original Message-
> From: Tommy Pham [mailto:tommy...@gmail.com]
> Sent: Thursday, January 06, 2011 5:49 PM
> To: 'Daevid Vincent'
> Cc: 'php-general@lists.php.net'
> Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points
> 
> > -Original Message-
> > From: Daevid Vincent [mailto:dae...@daevid.com]
> > Sent: Wednesday, January 05, 2011 11:36 AM
> > To: php-general@lists.php.net
> > Subject: [PHP] [security] PHP has DoS vuln with large decimal points
> >
> > The error in the way floating-point and double-precision numbers are
> > handled sends 32-bit systems running Linux, Windows, and FreeBSD into
> > an infinite loop that consumes 100 percent of their CPU's resources.
> > Developers are still investigating, but they say the bug appears to
> > affect versions 5.2 and 5.3 of PHP. They say it could be trivially
> > exploited on many websites to cause them to crash by adding long
> numbers to certain URLs.
> >
> > 
> >
> > The crash is also triggered when the number is expressed without
> > scientific notation, with 324 decimal places.
> >
> > Read on...
> >
> > http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/
> >
> > --
> > Daevid Vincent
> > http://daevid.com
> >
> > There are only 11 types of people in this world. Those that think
> > binary jokes are funny, those that don't, and those that don't know
binary.
> >
> 
> "The size of a float is platform-dependent, although a maximum of ~1.8e308
> with a precision of roughly 14 decimal digits is a common value (the 64
bit
> IEEE format)."  From [1].  The example given is clearly over the limit
within
> the PHP core.
> 
> This sounds like what I was mentioning before, in a different thread,
about
> URL hacking to induce buffer overflow.
> 
> Regards,
> Tommy
> 
> [1] http://www.php.net/manual/en/language.types.float.php

I found something really weird while coding a validator for floating
protection protection.

Case 1 - known DoS / PHP hangs in infinite loop:

  $value = '2.2250738585072011e-308';
  var_dump(floatval($value));

Case 2 - works fine:

  $value = '2.2250738585072011e-307';
or
  $value = '2.2250738585072011e-309';
or
  $value = '2.225073858507201e-308';

  var_dump(floatval($value));

I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP
FastCGI.  I haven't test it on *nix platform yet.   Could someone please
confirm this?

Thanks,
Tommy


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] [security] PHP has DoS vuln with large decimal points

2011-01-06 Thread Tommy Pham
> -Original Message-
> From: Daevid Vincent [mailto:dae...@daevid.com]
> Sent: Wednesday, January 05, 2011 11:36 AM
> To: php-general@lists.php.net
> Subject: [PHP] [security] PHP has DoS vuln with large decimal points
> 
> The error in the way floating-point and double-precision numbers are
> handled sends 32-bit systems running Linux, Windows, and FreeBSD into an
> infinite loop that consumes 100 percent of their CPU's resources.
> Developers are still investigating, but they say the bug appears to affect
> versions 5.2 and 5.3 of PHP. They say it could be trivially exploited on
many
> websites to cause them to crash by adding long numbers to certain URLs.
> 
> 
> 
> The crash is also triggered when the number is expressed without
scientific
> notation, with 324 decimal places.
> 
> Read on...
> 
> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/
> 
> --
> Daevid Vincent
> http://daevid.com
> 
> There are only 11 types of people in this world. Those that think binary
> jokes are funny, those that don't, and those that don't know binary.
> 

"The size of a float is platform-dependent, although a maximum of ~1.8e308
with a precision of roughly 14 decimal digits is a common value (the 64 bit
IEEE format)."  From [1].  The example given is clearly over the limit
within the PHP core.

This sounds like what I was mentioning before, in a different thread, about
URL hacking to induce buffer overflow.

Regards,
Tommy

[1] http://www.php.net/manual/en/language.types.float.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] [security] PHP has DoS vuln with large decimal points

2011-01-05 Thread Daevid Vincent
The error in the way floating-point and double-precision numbers are
handled sends 32-bit systems running Linux, Windows, and FreeBSD into an
infinite loop that consumes 100 percent of their CPU's resources.
Developers are still investigating, but they say the bug appears to affect
versions 5.2 and 5.3 of PHP. They say it could be trivially exploited on
many websites to cause them to crash by adding long numbers to certain
URLs.



The crash is also triggered when the number is expressed without scientific
notation, with 324 decimal places.

Read on...

http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/

--
Daevid Vincent
http://daevid.com

There are only 11 types of people in this world. Those that think binary
jokes are funny, those that don't, and those that don't know binary.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php