Re: [PHP] [security] PHP has DoS vuln with large decimal points
hi, On Mon, Jan 17, 2011 at 5:21 AM, Tommy Pham tommy...@gmail.com wrote: Thanks Dan. I'll keep it in mind for the future. For interested parties, that's found in the official Windows 5.3.3 NTS VC9 build. Works fine with the current official 5.3.5 NTS VC9. 5.3.5 was released only to fix this exact bug :-) Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
-Original Message- From: Tommy Pham [mailto:tommy...@gmail.com] Sent: Thursday, January 06, 2011 5:49 PM To: 'Daevid Vincent' Cc: 'php-general@lists.php.net' Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points -Original Message- From: Daevid Vincent [mailto:dae...@daevid.com] Sent: Wednesday, January 05, 2011 11:36 AM To: php-general@lists.php.net Subject: [PHP] [security] PHP has DoS vuln with large decimal points The error in the way floating-point and double-precision numbers are handled sends 32-bit systems running Linux, Windows, and FreeBSD into an infinite loop that consumes 100 percent of their CPU's resources. Developers are still investigating, but they say the bug appears to affect versions 5.2 and 5.3 of PHP. They say it could be trivially exploited on many websites to cause them to crash by adding long numbers to certain URLs. ?php $d = 2.2250738585072011e-308; ? The crash is also triggered when the number is expressed without scientific notation, with 324 decimal places. Read on... http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ -- Daevid Vincent http://daevid.com There are only 11 types of people in this world. Those that think binary jokes are funny, those that don't, and those that don't know binary. The size of a float is platform-dependent, although a maximum of ~1.8e308 with a precision of roughly 14 decimal digits is a common value (the 64 bit IEEE format). From [1]. The example given is clearly over the limit within the PHP core. This sounds like what I was mentioning before, in a different thread, about URL hacking to induce buffer overflow. Regards, Tommy [1] http://www.php.net/manual/en/language.types.float.php I found something really weird while coding a validator for floating protection protection. Case 1 - known DoS / PHP hangs in infinite loop: $value = '2.2250738585072011e-308'; var_dump(floatval($value)); Case 2 - works fine: $value = '2.2250738585072011e-307'; or $value = '2.2250738585072011e-309'; or $value = '2.225073858507201e-308'; var_dump(floatval($value)); I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP FastCGI. I haven't test it on *nix platform yet. Could someone please confirm this? Thanks, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
-Original Message-
From: Tommy Pham [mailto:tommy...@gmail.com]
Sent: Sunday, January 16, 2011 4:18 PM
To: 'php-general@lists.php.net'
Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points
snip
I found something really weird while coding a validator for floating
protection protection.
Case 1 - known DoS / PHP hangs in infinite loop:
$value = '2.2250738585072011e-308';
var_dump(floatval($value));
Case 2 - works fine:
$value = '2.2250738585072011e-307';
or
$value = '2.2250738585072011e-309';
or
$value = '2.225073858507201e-308';
var_dump(floatval($value));
I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with
PHP FastCGI. I haven't test it on *nix platform yet. Could someone
please
confirm this?
Thanks,
Tommy
Here are the results after some further tests for the same platform:
* max float value: 1.7976931348623E+308
* min float value: 9.8813129168249E-324
floatval('1.00e-323') weird ...
PHP wil hang when the value is between (inclusive)
floatval('2.22507385850720102e-308') -
floatval('2.22507385850720113e-308')
I can't find the bug report for the issue @ bugs.php.net. Does anyone know
if one is submitted? I should submit one? Sucribe to dev list and go from
there?
Thanks,
Tommy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [security] PHP has DoS vuln with large decimal points
On 1/16/2011 4:18 PM, Tommy Pham wrote: -Original Message- From: Tommy Pham [mailto:tommy...@gmail.com] Sent: Thursday, January 06, 2011 5:49 PM To: 'Daevid Vincent' Cc: 'php-general@lists.php.net' Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points -Original Message- From: Daevid Vincent [mailto:dae...@daevid.com] Sent: Wednesday, January 05, 2011 11:36 AM To: php-general@lists.php.net Subject: [PHP] [security] PHP has DoS vuln with large decimal points The error in the way floating-point and double-precision numbers are handled sends 32-bit systems running Linux, Windows, and FreeBSD into an infinite loop that consumes 100 percent of their CPU's resources. Developers are still investigating, but they say the bug appears to affect versions 5.2 and 5.3 of PHP. They say it could be trivially exploited on many websites to cause them to crash by adding long numbers to certain URLs. ?php $d = 2.2250738585072011e-308; ? The crash is also triggered when the number is expressed without scientific notation, with 324 decimal places. Read on... http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ -- Daevid Vincent http://daevid.com There are only 11 types of people in this world. Those that think binary jokes are funny, those that don't, and those that don't know binary. The size of a float is platform-dependent, although a maximum of ~1.8e308 with a precision of roughly 14 decimal digits is a common value (the 64 bit IEEE format). From [1]. The example given is clearly over the limit within the PHP core. This sounds like what I was mentioning before, in a different thread, about URL hacking to induce buffer overflow. Regards, Tommy [1] http://www.php.net/manual/en/language.types.float.php I found something really weird while coding a validator for floating protection protection. Case 1 - known DoS / PHP hangs in infinite loop: $value = '2.2250738585072011e-308'; var_dump(floatval($value)); Case 2 - works fine: $value = '2.2250738585072011e-307'; or $value = '2.2250738585072011e-309'; or $value = '2.225073858507201e-308'; var_dump(floatval($value)); I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP FastCGI. I haven't test it on *nix platform yet. Could someone please confirm this? Thanks, Tommy Seems to work fine for me. $ cat float.php ?php echo Example 1\n; $value = 2.2250738585072011e-307; var_dump(floatval($value)); var_dump($value); echo Example 2\n; $value = 2.2250738585072011e-308; var_dump(floatval($value)); var_dump($value); echo Example 3\n; $value = 2.2250738585072011e-309; var_dump(floatval($value)); var_dump($value); echo Example 4\n; $value = 2.225073858507201e-308; var_dump(floatval($value)); var_dump($value); ? $ php -f float.php Example 1 float(2.2250738585072E-307) float(2.2250738585072E-307) Example 2 float(2.2250738585072E-308) float(2.2250738585072E-308) Example 3 float(2.2250738585072E-309) float(2.2250738585072E-309) Example 4 float(2.2250738585072E-308) float(2.2250738585072E-308) $ uname -a OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386 $ php -v PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project No infinite loop. I like my system... :) Jim Lucas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [security] PHP has DoS vuln with large decimal points
On Sun, Jan 16, 2011 at 21:00, Tommy Pham tommy...@gmail.com wrote:
Here are the results after some further tests for the same platform:
* max float value: 1.7976931348623E+308
* min float value: 9.8813129168249E-324
floatval('1.00e-323') weird ...
PHP wil hang when the value is between (inclusive)
floatval('2.22507385850720102e-308') -
floatval('2.22507385850720113e-308')
I can't find the bug report for the issue @ bugs.php.net. Does anyone know
if one is submitted? I should submit one? Sucribe to dev list and go from
there?
If in doubt, file a bug. Worse comes to worst, it will be marked
as bogus or a duplicate. For security-related things, send them to
secur...@php.net, not to the General list. Again, if it's of no
concern, it will simply be ignored as bogus or already known.
--
/Daniel P. Brown
Network Infrastructure Manager
Documentation, Webmaster Teams
http://www.php.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
-Original Message- From: Jim Lucas [mailto:li...@cmsws.com] Sent: Sunday, January 16, 2011 6:54 PM To: Tommy Pham Cc: php-general@lists.php.net Subject: Re: [PHP] [security] PHP has DoS vuln with large decimal points On 1/16/2011 4:18 PM, Tommy Pham wrote: -Original Message- From: Tommy Pham [mailto:tommy...@gmail.com] Sent: Thursday, January 06, 2011 5:49 PM To: 'Daevid Vincent' Cc: 'php-general@lists.php.net' Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points -Original Message- From: Daevid Vincent [mailto:dae...@daevid.com] Sent: Wednesday, January 05, 2011 11:36 AM To: php-general@lists.php.net Subject: [PHP] [security] PHP has DoS vuln with large decimal points The error in the way floating-point and double-precision numbers are handled sends 32-bit systems running Linux, Windows, and FreeBSD into an infinite loop that consumes 100 percent of their CPU's resources. Developers are still investigating, but they say the bug appears to affect versions 5.2 and 5.3 of PHP. They say it could be trivially exploited on many websites to cause them to crash by adding long numbers to certain URLs. ?php $d = 2.2250738585072011e-308; ? The crash is also triggered when the number is expressed without scientific notation, with 324 decimal places. Read on... http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ -- Daevid Vincent http://daevid.com There are only 11 types of people in this world. Those that think binary jokes are funny, those that don't, and those that don't know binary. The size of a float is platform-dependent, although a maximum of ~1.8e308 with a precision of roughly 14 decimal digits is a common value (the 64 bit IEEE format). From [1]. The example given is clearly over the limit within the PHP core. This sounds like what I was mentioning before, in a different thread, about URL hacking to induce buffer overflow. Regards, Tommy [1] http://www.php.net/manual/en/language.types.float.php I found something really weird while coding a validator for floating protection protection. Case 1 - known DoS / PHP hangs in infinite loop: $value = '2.2250738585072011e-308'; var_dump(floatval($value)); Case 2 - works fine: $value = '2.2250738585072011e-307'; or $value = '2.2250738585072011e-309'; or $value = '2.225073858507201e-308'; var_dump(floatval($value)); I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP FastCGI. I haven't test it on *nix platform yet. Could someone please confirm this? Thanks, Tommy Seems to work fine for me. $ cat float.php ?php echo Example 1\n; $value = 2.2250738585072011e-307; var_dump(floatval($value)); var_dump($value); echo Example 2\n; $value = 2.2250738585072011e-308; var_dump(floatval($value)); var_dump($value); echo Example 3\n; $value = 2.2250738585072011e-309; var_dump(floatval($value)); var_dump($value); echo Example 4\n; $value = 2.225073858507201e-308; var_dump(floatval($value)); var_dump($value); ? $ php -f float.php Example 1 float(2.2250738585072E-307) float(2.2250738585072E-307) Example 2 float(2.2250738585072E-308) float(2.2250738585072E-308) Example 3 float(2.2250738585072E-309) float(2.2250738585072E-309) Example 4 float(2.2250738585072E-308) float(2.2250738585072E-308) $ uname -a OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386 $ php -v PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50) Copyright (c) 1997- 2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project No infinite loop. I like my system... :) Jim Lucas Hi Jim, Thanks for the confirmation. It appears that the bug is with the official binary Windows distribution PHP 5.3.3 NTS and most likely with 5.3.3. I just upgrade to NTS 5.3.5 and works fine now. It also runs fine against unofficial PHP 5.2.5 x64 Windows ISAPI. Thanks, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [PHP-DEV] Re: [PHP] [security] PHP has DoS vuln with large decimal points
On 2011-01-16, at 9:59 PM, Daniel Brown danbr...@php.net wrote:
On Sun, Jan 16, 2011 at 21:00, Tommy Pham tommy...@gmail.com wrote:
Here are the results after some further tests for the same platform:
* max float value: 1.7976931348623E+308
* min float value: 9.8813129168249E-324
floatval('1.00e-323') weird ...
PHP wil hang when the value is between (inclusive)
floatval('2.22507385850720102e-308') -
floatval('2.22507385850720113e-308')
I can't find the bug report for the issue @ bugs.php.net. Does anyone know
if one is submitted? I should submit one? Sucribe to dev list and go from
there?
If in doubt, file a bug. Worse comes to worst, it will be marked
as bogus or a duplicate. For security-related things, send them to
secur...@php.net, not to the General list. Again, if it's of no
concern, it will simply be ignored as bogus or already known
Is this not it?
http://bugs.php.net/53632
Best Regards
Mike Robinson
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
-Original Message-
From: paras...@gmail.com [mailto:paras...@gmail.com] On Behalf Of
Daniel Brown
Sent: Sunday, January 16, 2011 7:00 PM
To: Tommy Pham
Cc: PHP General; PHP Internals List; secur...@php.net
Subject: Re: [PHP] [security] PHP has DoS vuln with large decimal points
On Sun, Jan 16, 2011 at 21:00, Tommy Pham tommy...@gmail.com wrote:
Here are the results after some further tests for the same platform:
* max float value: 1.7976931348623E+308
* min float value: 9.8813129168249E-324
floatval('1.00e-323') weird ...
PHP wil hang when the value is between (inclusive)
floatval('2.22507385850720102e-308') -
floatval('2.22507385850720113e-308')
I can't find the bug report for the issue @ bugs.php.net. Does anyone
know if one is submitted? I should submit one? Sucribe to dev list
and go from there?
If in doubt, file a bug. Worse comes to worst, it will be marked as
bogus or
a duplicate. For security-related things, send them to secur...@php.net,
not to the General list. Again, if it's of no concern, it will simply be
ignored
as bogus or already known.
--
/Daniel P. Brown
Network Infrastructure Manager
Documentation, Webmaster Teams
http://www.php.net/
Thanks Dan. I'll keep it in mind for the future. For interested parties,
that's found in the official Windows 5.3.3 NTS VC9 build. Works fine with
the current official 5.3.5 NTS VC9.
Thanks,
Tommy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [security] PHP has DoS vuln with large decimal points
-Original Message- From: Daevid Vincent [mailto:dae...@daevid.com] Sent: Wednesday, January 05, 2011 11:36 AM To: php-general@lists.php.net Subject: [PHP] [security] PHP has DoS vuln with large decimal points The error in the way floating-point and double-precision numbers are handled sends 32-bit systems running Linux, Windows, and FreeBSD into an infinite loop that consumes 100 percent of their CPU's resources. Developers are still investigating, but they say the bug appears to affect versions 5.2 and 5.3 of PHP. They say it could be trivially exploited on many websites to cause them to crash by adding long numbers to certain URLs. ?php $d = 2.2250738585072011e-308; ? The crash is also triggered when the number is expressed without scientific notation, with 324 decimal places. Read on... http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ -- Daevid Vincent http://daevid.com There are only 11 types of people in this world. Those that think binary jokes are funny, those that don't, and those that don't know binary. The size of a float is platform-dependent, although a maximum of ~1.8e308 with a precision of roughly 14 decimal digits is a common value (the 64 bit IEEE format). From [1]. The example given is clearly over the limit within the PHP core. This sounds like what I was mentioning before, in a different thread, about URL hacking to induce buffer overflow. Regards, Tommy [1] http://www.php.net/manual/en/language.types.float.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
