Re: [PHP] [security] PHP has DoS vuln with large decimal points
hi, On Mon, Jan 17, 2011 at 5:21 AM, Tommy Pham wrote: > Thanks Dan. I'll keep it in mind for the future. For interested parties, > that's found in the official Windows 5.3.3 NTS VC9 build. Works fine with > the current official 5.3.5 NTS VC9. 5.3.5 was released only to fix this exact bug :-) Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
> -Original Message- > From: paras...@gmail.com [mailto:paras...@gmail.com] On Behalf Of > Daniel Brown > Sent: Sunday, January 16, 2011 7:00 PM > To: Tommy Pham > Cc: PHP General; PHP Internals List; secur...@php.net > Subject: Re: [PHP] [security] PHP has DoS vuln with large decimal points > > On Sun, Jan 16, 2011 at 21:00, Tommy Pham wrote: > > > > Here are the results after some further tests for the same platform: > > > > * max float value: 1.7976931348623E+308 > > * min float value: 9.8813129168249E-324 << > > floatval('1.00e-323') weird ... > > > > PHP wil hang when the value is between (inclusive) > > > > floatval('2.22507385850720102e-308') - > > floatval('2.22507385850720113e-308') > > > > I can't find the bug report for the issue @ bugs.php.net. Does anyone > > know if one is submitted? I should submit one? Sucribe to dev list > > and go from there? > > If in doubt, file a bug. Worse comes to worst, it will be marked as bogus or > a duplicate. For security-related things, send them to secur...@php.net, > not to the General list. Again, if it's of no concern, it will simply be ignored > as bogus or already known. > > -- > > Network Infrastructure Manager > Documentation, Webmaster Teams > http://www.php.net/ Thanks Dan. I'll keep it in mind for the future. For interested parties, that's found in the official Windows 5.3.3 NTS VC9 build. Works fine with the current official 5.3.5 NTS VC9. Thanks, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [PHP-DEV] Re: [PHP] [security] PHP has DoS vuln with large decimal points
On 2011-01-16, at 9:59 PM, Daniel Brown wrote: > On Sun, Jan 16, 2011 at 21:00, Tommy Pham wrote: >> >> Here are the results after some further tests for the same platform: >> >> * max float value: 1.7976931348623E+308 >> * min float value: 9.8813129168249E-324 << >> floatval('1.00e-323') weird ... >> >> PHP wil hang when the value is between (inclusive) >> >> floatval('2.22507385850720102e-308') - >> floatval('2.22507385850720113e-308') >> >> I can't find the bug report for the issue @ bugs.php.net. Does anyone know >> if one is submitted? I should submit one? Sucribe to dev list and go from >> there? > >If in doubt, file a bug. Worse comes to worst, it will be marked > as bogus or a duplicate. For security-related things, send them to > secur...@php.net, not to the General list. Again, if it's of no > concern, it will simply be ignored as bogus or already known Is this not it? http://bugs.php.net/53632 Best Regards Mike Robinson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
> -Original Message- > From: Jim Lucas [mailto:li...@cmsws.com] > Sent: Sunday, January 16, 2011 6:54 PM > To: Tommy Pham > Cc: php-general@lists.php.net > Subject: Re: [PHP] [security] PHP has DoS vuln with large decimal points > > On 1/16/2011 4:18 PM, Tommy Pham wrote: > >> -Original Message- > >> From: Tommy Pham [mailto:tommy...@gmail.com] > >> Sent: Thursday, January 06, 2011 5:49 PM > >> To: 'Daevid Vincent' > >> Cc: 'php-general@lists.php.net' > >> Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal > >> points > >> > >>> -Original Message- > >>> From: Daevid Vincent [mailto:dae...@daevid.com] > >>> Sent: Wednesday, January 05, 2011 11:36 AM > >>> To: php-general@lists.php.net > >>> Subject: [PHP] [security] PHP has DoS vuln with large decimal points > >>> > >>> The error in the way floating-point and double-precision numbers are > >>> handled sends 32-bit systems running Linux, Windows, and FreeBSD > >>> into an infinite loop that consumes 100 percent of their CPU's resources. > >>> Developers are still investigating, but they say the bug appears to > >>> affect versions 5.2 and 5.3 of PHP. They say it could be trivially > >>> exploited on many websites to cause them to crash by adding long > >> numbers to certain URLs. > >>> > >>> > >>> > >>> The crash is also triggered when the number is expressed without > >>> scientific notation, with 324 decimal places. > >>> > >>> Read on... > >>> > >>> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ > >>> > >>> -- > >>> Daevid Vincent > >>> http://daevid.com > >>> > >>> There are only 11 types of people in this world. Those that think > >>> binary jokes are funny, those that don't, and those that don't know > > binary. > >>> > >> > >> "The size of a float is platform-dependent, although a maximum of > >> ~1.8e308 with a precision of roughly 14 decimal digits is a common > >> value (the 64 > > bit > >> IEEE format)." From [1]. The example given is clearly over the > >> limit > > within > >> the PHP core. > >> > >> This sounds like what I was mentioning before, in a different thread, > > about > >> URL hacking to induce buffer overflow. > >> > >> Regards, > >> Tommy > >> > >> [1] http://www.php.net/manual/en/language.types.float.php > > > > I found something really weird while coding a validator for floating > > protection protection. > > > > Case 1 - known DoS / PHP hangs in infinite loop: > > > > $value = '2.2250738585072011e-308'; > > var_dump(floatval($value)); > > > > Case 2 - works fine: > > > > $value = '2.2250738585072011e-307'; > > or > > $value = '2.2250738585072011e-309'; > > or > > $value = '2.225073858507201e-308'; > > > > var_dump(floatval($value)); > > > > I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with > PHP > > FastCGI. I haven't test it on *nix platform yet. Could someone please > > confirm this? > > > > Thanks, > > Tommy > > > > > > Seems to work fine for me. > > $ cat float.php > > echo "Example 1\n"; > $value = 2.2250738585072011e-307; > var_dump(floatval($value)); > var_dump($value); > > echo "Example 2\n"; > $value = 2.2250738585072011e-308; > var_dump(floatval($value)); > var_dump($value); > > echo "Example 3\n"; > $value = 2.2250738585072011e-309; > var_dump(floatval($value)); > var_dump($value); > > echo "Example 4\n"; > $value = 2.225073858507201e-308; > var_dump(floatval($value)); > var_dump($value); > > ?> > $ php -f float.php > Example 1 > float(2.2250738585072E-307) > float(2.2250738585072E-307) > Example 2 > float(2.2250738585072E-308) > float(2.2250738585072E-308) > Example 3 > float(2.2250738585072E-309) > float(2.2250738585072E-309) > Example 4 > float(2.2250738585072E-308) > float(2.2250738585072E-308) > > $ uname -a > OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386 $ php -v PHP 5.2.5 with > Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50) Copyright (c) 1997- > 2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend > Technologies > with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project > > No infinite loop. I like my system... :) > > Jim Lucas Hi Jim, Thanks for the confirmation. It appears that the bug is with the official binary Windows distribution PHP 5.3.3 NTS and most likely with 5.3.3. I just upgrade to NTS 5.3.5 and works fine now. It also runs fine against unofficial PHP 5.2.5 x64 Windows ISAPI. Thanks, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [security] PHP has DoS vuln with large decimal points
On Sun, Jan 16, 2011 at 21:00, Tommy Pham wrote: > > Here are the results after some further tests for the same platform: > > * max float value: 1.7976931348623E+308 > * min float value: 9.8813129168249E-324 << > floatval('1.00e-323') weird ... > > PHP wil hang when the value is between (inclusive) > > floatval('2.22507385850720102e-308') - > floatval('2.22507385850720113e-308') > > I can't find the bug report for the issue @ bugs.php.net. Does anyone know > if one is submitted? I should submit one? Sucribe to dev list and go from > there? If in doubt, file a bug. Worse comes to worst, it will be marked as bogus or a duplicate. For security-related things, send them to secur...@php.net, not to the General list. Again, if it's of no concern, it will simply be ignored as bogus or already known. -- Network Infrastructure Manager Documentation, Webmaster Teams http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [security] PHP has DoS vuln with large decimal points
On 1/16/2011 4:18 PM, Tommy Pham wrote: >> -Original Message- >> From: Tommy Pham [mailto:tommy...@gmail.com] >> Sent: Thursday, January 06, 2011 5:49 PM >> To: 'Daevid Vincent' >> Cc: 'php-general@lists.php.net' >> Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points >> >>> -Original Message- >>> From: Daevid Vincent [mailto:dae...@daevid.com] >>> Sent: Wednesday, January 05, 2011 11:36 AM >>> To: php-general@lists.php.net >>> Subject: [PHP] [security] PHP has DoS vuln with large decimal points >>> >>> The error in the way floating-point and double-precision numbers are >>> handled sends 32-bit systems running Linux, Windows, and FreeBSD into >>> an infinite loop that consumes 100 percent of their CPU's resources. >>> Developers are still investigating, but they say the bug appears to >>> affect versions 5.2 and 5.3 of PHP. They say it could be trivially >>> exploited on many websites to cause them to crash by adding long >> numbers to certain URLs. >>> >>> >>> >>> The crash is also triggered when the number is expressed without >>> scientific notation, with 324 decimal places. >>> >>> Read on... >>> >>> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ >>> >>> -- >>> Daevid Vincent >>> http://daevid.com >>> >>> There are only 11 types of people in this world. Those that think >>> binary jokes are funny, those that don't, and those that don't know > binary. >>> >> >> "The size of a float is platform-dependent, although a maximum of ~1.8e308 >> with a precision of roughly 14 decimal digits is a common value (the 64 > bit >> IEEE format)." From [1]. The example given is clearly over the limit > within >> the PHP core. >> >> This sounds like what I was mentioning before, in a different thread, > about >> URL hacking to induce buffer overflow. >> >> Regards, >> Tommy >> >> [1] http://www.php.net/manual/en/language.types.float.php > > I found something really weird while coding a validator for floating > protection protection. > > Case 1 - known DoS / PHP hangs in infinite loop: > > $value = '2.2250738585072011e-308'; > var_dump(floatval($value)); > > Case 2 - works fine: > > $value = '2.2250738585072011e-307'; > or > $value = '2.2250738585072011e-309'; > or > $value = '2.225073858507201e-308'; > > var_dump(floatval($value)); > > I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP > FastCGI. I haven't test it on *nix platform yet. Could someone please > confirm this? > > Thanks, > Tommy > > Seems to work fine for me. $ cat float.php $ php -f float.php Example 1 float(2.2250738585072E-307) float(2.2250738585072E-307) Example 2 float(2.2250738585072E-308) float(2.2250738585072E-308) Example 3 float(2.2250738585072E-309) float(2.2250738585072E-309) Example 4 float(2.2250738585072E-308) float(2.2250738585072E-308) $ uname -a OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386 $ php -v PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project No infinite loop. I like my system... :) Jim Lucas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
> -Original Message- > From: Tommy Pham [mailto:tommy...@gmail.com] > Sent: Sunday, January 16, 2011 4:18 PM > To: 'php-general@lists.php.net' > Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points > > > I found something really weird while coding a validator for floating > protection protection. > > Case 1 - known DoS / PHP hangs in infinite loop: > > $value = '2.2250738585072011e-308'; > var_dump(floatval($value)); > > Case 2 - works fine: > > $value = '2.2250738585072011e-307'; > or > $value = '2.2250738585072011e-309'; > or > $value = '2.225073858507201e-308'; > > var_dump(floatval($value)); > > I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with > PHP FastCGI. I haven't test it on *nix platform yet. Could someone please > confirm this? > > Thanks, > Tommy Here are the results after some further tests for the same platform: * max float value: 1.7976931348623E+308 * min float value: 9.8813129168249E-324 << floatval('1.00e-323') weird ... PHP wil hang when the value is between (inclusive) floatval('2.22507385850720102e-308') - floatval('2.22507385850720113e-308') I can't find the bug report for the issue @ bugs.php.net. Does anyone know if one is submitted? I should submit one? Sucribe to dev list and go from there? Thanks, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
> -Original Message- > From: Tommy Pham [mailto:tommy...@gmail.com] > Sent: Thursday, January 06, 2011 5:49 PM > To: 'Daevid Vincent' > Cc: 'php-general@lists.php.net' > Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points > > > -Original Message- > > From: Daevid Vincent [mailto:dae...@daevid.com] > > Sent: Wednesday, January 05, 2011 11:36 AM > > To: php-general@lists.php.net > > Subject: [PHP] [security] PHP has DoS vuln with large decimal points > > > > The error in the way floating-point and double-precision numbers are > > handled sends 32-bit systems running Linux, Windows, and FreeBSD into > > an infinite loop that consumes 100 percent of their CPU's resources. > > Developers are still investigating, but they say the bug appears to > > affect versions 5.2 and 5.3 of PHP. They say it could be trivially > > exploited on many websites to cause them to crash by adding long > numbers to certain URLs. > > > > > > > > The crash is also triggered when the number is expressed without > > scientific notation, with 324 decimal places. > > > > Read on... > > > > http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ > > > > -- > > Daevid Vincent > > http://daevid.com > > > > There are only 11 types of people in this world. Those that think > > binary jokes are funny, those that don't, and those that don't know binary. > > > > "The size of a float is platform-dependent, although a maximum of ~1.8e308 > with a precision of roughly 14 decimal digits is a common value (the 64 bit > IEEE format)." From [1]. The example given is clearly over the limit within > the PHP core. > > This sounds like what I was mentioning before, in a different thread, about > URL hacking to induce buffer overflow. > > Regards, > Tommy > > [1] http://www.php.net/manual/en/language.types.float.php I found something really weird while coding a validator for floating protection protection. Case 1 - known DoS / PHP hangs in infinite loop: $value = '2.2250738585072011e-308'; var_dump(floatval($value)); Case 2 - works fine: $value = '2.2250738585072011e-307'; or $value = '2.2250738585072011e-309'; or $value = '2.225073858507201e-308'; var_dump(floatval($value)); I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP FastCGI. I haven't test it on *nix platform yet. Could someone please confirm this? Thanks, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
> -Original Message- > From: Daevid Vincent [mailto:dae...@daevid.com] > Sent: Wednesday, January 05, 2011 11:36 AM > To: php-general@lists.php.net > Subject: [PHP] [security] PHP has DoS vuln with large decimal points > > The error in the way floating-point and double-precision numbers are > handled sends 32-bit systems running Linux, Windows, and FreeBSD into an > infinite loop that consumes 100 percent of their CPU's resources. > Developers are still investigating, but they say the bug appears to affect > versions 5.2 and 5.3 of PHP. They say it could be trivially exploited on many > websites to cause them to crash by adding long numbers to certain URLs. > > > > The crash is also triggered when the number is expressed without scientific > notation, with 324 decimal places. > > Read on... > > http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ > > -- > Daevid Vincent > http://daevid.com > > There are only 11 types of people in this world. Those that think binary > jokes are funny, those that don't, and those that don't know binary. > "The size of a float is platform-dependent, although a maximum of ~1.8e308 with a precision of roughly 14 decimal digits is a common value (the 64 bit IEEE format)." From [1]. The example given is clearly over the limit within the PHP core. This sounds like what I was mentioning before, in a different thread, about URL hacking to induce buffer overflow. Regards, Tommy [1] http://www.php.net/manual/en/language.types.float.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] [security] PHP has DoS vuln with large decimal points
The error in the way floating-point and double-precision numbers are handled sends 32-bit systems running Linux, Windows, and FreeBSD into an infinite loop that consumes 100 percent of their CPU's resources. Developers are still investigating, but they say the bug appears to affect versions 5.2 and 5.3 of PHP. They say it could be trivially exploited on many websites to cause them to crash by adding long numbers to certain URLs. The crash is also triggered when the number is expressed without scientific notation, with 324 decimal places. Read on... http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ -- Daevid Vincent http://daevid.com There are only 11 types of people in this world. Those that think binary jokes are funny, those that don't, and those that don't know binary. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php