Re: [PHP] Nasty DoS in PHP | Windows only?
Just catching up on my emails and saw this thread.
Just a note that it didn't happen under
FreeBSD 4.5-R p3
PHP 4.1.2 (Apache module)
386M Ram, PIII 450 box
The script died after the max_time setting, and apache's children
returned back to their happy go lucky nature all by themselves...
Billy S Halsey wrote:
> Actually, it occurs on Solaris as well. I just coded up the script,
> and it brought my server to its knees, though I was able to break it
> before it hanged hard.
>
> My configuration:
>
> * Solaris 8 108528-12
> * PHP 4.1.1 as an executable (didn't try through Apache)
> * 512mb ram, 1 @ 440MHx UltraSPARC IIi
>
> My php.ini specifies:
>
> * max_execution_time = 120
> * memory_limit = 128M
>
> Yet, I let the script run for a while (over two minutes) and it had
> managed to consume 80% of my cpu time and over one gig of virtual
> memory (phys + swap)!
>
> It should be noted that while this is indeed a "very bad thing," the
> following snippet of C code is just as bad, yet it's not technically a
> bug -- just bad programming:
>
> int main(void)
> {
>void *p;
>while (1)
> p = malloc(1024);
>/*NOTREACHED*/
>return 0;
> }
>
> /bsh/
>
> Jason Murray wrote:
>
>>> I'd be interested in knowing your versions and the versions of the
>>> first guy that posted about this. Maybe he has the same setup as me,
>>> or close enough, but both of us are different from you.
>>
>>
>>
>> Actually, I just thought about it - maybe you guys are both running
>> it on Windows (shame on you ;)).
>>
>> I *have* actually seen PHP bring down IIS with a setcookie command.
>> Since a setcookie issues headers, I thought "fine, screw you, I'll
>> set the headers myself", and it STILL brought IIS down. And indeed,
>> the load *did* skyrocket and require a reboot of the server.
>>
>> I asked around here at the time if anyone had experienced this (look
>> through the mailing list archive to find it) and at the time got
>> more of a congratulatory salute from the list members than any real
>> responses :)
>>
>> Maybe this is more of a PHP-on-IIS issue than an actual security
>> issue in PHP.
>>
>> Jason
>>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP | Windows only?
Actually, it occurs on Solaris as well. I just coded up the script, and
it brought my server to its knees, though I was able to break it before
it hanged hard.
My configuration:
* Solaris 8 108528-12
* PHP 4.1.1 as an executable (didn't try through Apache)
* 512mb ram, 1 @ 440MHx UltraSPARC IIi
My php.ini specifies:
* max_execution_time = 120
* memory_limit = 128M
Yet, I let the script run for a while (over two minutes) and it had
managed to consume 80% of my cpu time and over one gig of virtual memory
(phys + swap)!
It should be noted that while this is indeed a "very bad thing," the
following snippet of C code is just as bad, yet it's not technically a
bug -- just bad programming:
int main(void)
{
void *p;
while (1)
p = malloc(1024);
/*NOTREACHED*/
return 0;
}
/bsh/
Jason Murray wrote:
>>I'd be interested in knowing your versions and the versions
>>of the first guy that posted about this. Maybe he has the same
>>setup as me, or close enough, but both of us are different
>>from you.
>
>
> Actually, I just thought about it - maybe you guys are both running
> it on Windows (shame on you ;)).
>
> I *have* actually seen PHP bring down IIS with a setcookie command.
> Since a setcookie issues headers, I thought "fine, screw you, I'll
> set the headers myself", and it STILL brought IIS down. And indeed,
> the load *did* skyrocket and require a reboot of the server.
>
> I asked around here at the time if anyone had experienced this (look
> through the mailing list archive to find it) and at the time got
> more of a congratulatory salute from the list members than any real
> responses :)
>
> Maybe this is more of a PHP-on-IIS issue than an actual security
> issue in PHP.
>
> Jason
>
--
/-=[ BILLY S HALSEY ]=--\
| Member of Technical Staff, Sun Microsystems, Inc. ESP Solaris SW |
| "All opinions and technical advice offered in this message are my |
| own and not necessarily endorsed by my employer." |
\--=[ [EMAIL PROTECTED] ]=/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP | Windows only?
> I know what you are saying. I've taken down apache on win32 > with setcookie [snip] > I'm pretty sure they ran PHP on apache, not IIS. Maybe this > problem is only with the win32 version of the PHP module. Yep, apparently I can't read. Apache, IIS, same header() probs. > Nonetheless, a bug is still a bug. It would be nice if it > wasn't there=) Agreed! :) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Nasty DoS in PHP | Windows only?
- Original Message - From: "Jason Murray" <[EMAIL PROTECTED]> To: "'Jason Soza'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 11:36 PM Subject: RE: [PHP] Nasty DoS in PHP | Windows only? > > I'd be interested in knowing your versions and the versions > > of the first guy that posted about this. Maybe he has the same > > setup as me, or close enough, but both of us are different > > from you. > > Actually, I just thought about it - maybe you guys are both running > it on Windows (shame on you ;)). > > I *have* actually seen PHP bring down IIS with a setcookie command. > Since a setcookie issues headers, I thought "fine, screw you, I'll > set the headers myself", and it STILL brought IIS down. And indeed, > the load *did* skyrocket and require a reboot of the server. I know what you are saying. I've taken down apache on win32 with setcookie > > I asked around here at the time if anyone had experienced this (look > through the mailing list archive to find it) and at the time got > more of a congratulatory salute from the list members than any real > responses :) > > Maybe this is more of a PHP-on-IIS issue than an actual security > issue in PHP. > I'm pretty sure they ran PHP on apache, not IIS. Maybe this problem is only with the win32 version of the PHP module. Nonetheless, a bug is still a bug. It would be nice if it wasn't there=) > Jason > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Nasty DoS in PHP | Windows only?
> I'd be interested in knowing your versions and the versions > of the first guy that posted about this. Maybe he has the same > setup as me, or close enough, but both of us are different > from you. Actually, I just thought about it - maybe you guys are both running it on Windows (shame on you ;)). I *have* actually seen PHP bring down IIS with a setcookie command. Since a setcookie issues headers, I thought "fine, screw you, I'll set the headers myself", and it STILL brought IIS down. And indeed, the load *did* skyrocket and require a reboot of the server. I asked around here at the time if anyone had experienced this (look through the mailing list archive to find it) and at the time got more of a congratulatory salute from the list members than any real responses :) Maybe this is more of a PHP-on-IIS issue than an actual security issue in PHP. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
