Re: [PHP] Nasty DoS in PHP | Windows only?
Just catching up on my emails and saw this thread. Just a note that it didn't happen under FreeBSD 4.5-R p3 PHP 4.1.2 (Apache module) 386M Ram, PIII 450 box The script died after the max_time setting, and apache's children returned back to their happy go lucky nature all by themselves... Billy S Halsey wrote: > Actually, it occurs on Solaris as well. I just coded up the script, > and it brought my server to its knees, though I was able to break it > before it hanged hard. > > My configuration: > > * Solaris 8 108528-12 > * PHP 4.1.1 as an executable (didn't try through Apache) > * 512mb ram, 1 @ 440MHx UltraSPARC IIi > > My php.ini specifies: > > * max_execution_time = 120 > * memory_limit = 128M > > Yet, I let the script run for a while (over two minutes) and it had > managed to consume 80% of my cpu time and over one gig of virtual > memory (phys + swap)! > > It should be noted that while this is indeed a "very bad thing," the > following snippet of C code is just as bad, yet it's not technically a > bug -- just bad programming: > > int main(void) > { >void *p; >while (1) > p = malloc(1024); >/*NOTREACHED*/ >return 0; > } > > /bsh/ > > Jason Murray wrote: > >>> I'd be interested in knowing your versions and the versions of the >>> first guy that posted about this. Maybe he has the same setup as me, >>> or close enough, but both of us are different from you. >> >> >> >> Actually, I just thought about it - maybe you guys are both running >> it on Windows (shame on you ;)). >> >> I *have* actually seen PHP bring down IIS with a setcookie command. >> Since a setcookie issues headers, I thought "fine, screw you, I'll >> set the headers myself", and it STILL brought IIS down. And indeed, >> the load *did* skyrocket and require a reboot of the server. >> >> I asked around here at the time if anyone had experienced this (look >> through the mailing list archive to find it) and at the time got >> more of a congratulatory salute from the list members than any real >> responses :) >> >> Maybe this is more of a PHP-on-IIS issue than an actual security >> issue in PHP. >> >> Jason >> > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP | Windows only?
Actually, it occurs on Solaris as well. I just coded up the script, and it brought my server to its knees, though I was able to break it before it hanged hard. My configuration: * Solaris 8 108528-12 * PHP 4.1.1 as an executable (didn't try through Apache) * 512mb ram, 1 @ 440MHx UltraSPARC IIi My php.ini specifies: * max_execution_time = 120 * memory_limit = 128M Yet, I let the script run for a while (over two minutes) and it had managed to consume 80% of my cpu time and over one gig of virtual memory (phys + swap)! It should be noted that while this is indeed a "very bad thing," the following snippet of C code is just as bad, yet it's not technically a bug -- just bad programming: int main(void) { void *p; while (1) p = malloc(1024); /*NOTREACHED*/ return 0; } /bsh/ Jason Murray wrote: >>I'd be interested in knowing your versions and the versions >>of the first guy that posted about this. Maybe he has the same >>setup as me, or close enough, but both of us are different >>from you. > > > Actually, I just thought about it - maybe you guys are both running > it on Windows (shame on you ;)). > > I *have* actually seen PHP bring down IIS with a setcookie command. > Since a setcookie issues headers, I thought "fine, screw you, I'll > set the headers myself", and it STILL brought IIS down. And indeed, > the load *did* skyrocket and require a reboot of the server. > > I asked around here at the time if anyone had experienced this (look > through the mailing list archive to find it) and at the time got > more of a congratulatory salute from the list members than any real > responses :) > > Maybe this is more of a PHP-on-IIS issue than an actual security > issue in PHP. > > Jason > -- /-=[ BILLY S HALSEY ]=--\ | Member of Technical Staff, Sun Microsystems, Inc. ESP Solaris SW | | "All opinions and technical advice offered in this message are my | | own and not necessarily endorsed by my employer." | \--=[ [EMAIL PROTECTED] ]=/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP | Windows only?
> I know what you are saying. I've taken down apache on win32 > with setcookie [snip] > I'm pretty sure they ran PHP on apache, not IIS. Maybe this > problem is only with the win32 version of the PHP module. Yep, apparently I can't read. Apache, IIS, same header() probs. > Nonetheless, a bug is still a bug. It would be nice if it > wasn't there=) Agreed! :) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP | Windows only?
- Original Message - From: "Jason Murray" <[EMAIL PROTECTED]> To: "'Jason Soza'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 11:36 PM Subject: RE: [PHP] Nasty DoS in PHP | Windows only? > > I'd be interested in knowing your versions and the versions > > of the first guy that posted about this. Maybe he has the same > > setup as me, or close enough, but both of us are different > > from you. > > Actually, I just thought about it - maybe you guys are both running > it on Windows (shame on you ;)). > > I *have* actually seen PHP bring down IIS with a setcookie command. > Since a setcookie issues headers, I thought "fine, screw you, I'll > set the headers myself", and it STILL brought IIS down. And indeed, > the load *did* skyrocket and require a reboot of the server. I know what you are saying. I've taken down apache on win32 with setcookie > > I asked around here at the time if anyone had experienced this (look > through the mailing list archive to find it) and at the time got > more of a congratulatory salute from the list members than any real > responses :) > > Maybe this is more of a PHP-on-IIS issue than an actual security > issue in PHP. > I'm pretty sure they ran PHP on apache, not IIS. Maybe this problem is only with the win32 version of the PHP module. Nonetheless, a bug is still a bug. It would be nice if it wasn't there=) > Jason > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP | Windows only?
> I'd be interested in knowing your versions and the versions > of the first guy that posted about this. Maybe he has the same > setup as me, or close enough, but both of us are different > from you. Actually, I just thought about it - maybe you guys are both running it on Windows (shame on you ;)). I *have* actually seen PHP bring down IIS with a setcookie command. Since a setcookie issues headers, I thought "fine, screw you, I'll set the headers myself", and it STILL brought IIS down. And indeed, the load *did* skyrocket and require a reboot of the server. I asked around here at the time if anyone had experienced this (look through the mailing list archive to find it) and at the time got more of a congratulatory salute from the list members than any real responses :) Maybe this is more of a PHP-on-IIS issue than an actual security issue in PHP. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php