. The most you could
probably do is take out your own server, but you never know what script
kiddies are willing to do in order to take down a server.
Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/
- Original Message -
From: "James Co
"If the user has enough access to the server to place files on it" ?
There are hosting places that have PHP and you can just upload the PHP
script through FTP and access it in your browser.
Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.d
It's a default PHP installation. We aren't calling set_time_limit(). I know
its an infinite loop, the point is that if a user wanted to attack a server
(happens every day) they would be able to use this method to take the server
down.
Dustin E. Childers
Security Administrator. CE
It does not stop after its execution time. We have let this run for 10+
minutes to see if it would crash the server, and it did. It does not affect
the person that loads the code in the browser, just affects the server
running the code.
Dustin E. Childers
Security Administrator. CEO, Digitux
php.ini:
memory_limit = 8M ; Maximum amount of memory a script may consume
(8MB)
That is in there, I execute the code from a browser.
ps aux:
nobody 60155 84.6 16.8 88644 87424 ?? R 5:15PM 0:23.23
/www/bin/httpd
using 84.6% of CPU and 16.8% of Memory.
Dustin E. Childers
what I used:
We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 4.2.0RC4.
It was able to completly kill our servers (not apache, the entire server). The loads
of the server will reach 50+. I have contacted apache about this and they said that it
is PHP related.
Dus
6 matches
Mail list logo
