Re: [PHP] Nasty DoS in PHP

ECTED]> Sent: Thursday, April 18, 2002 7:29 AM Subject: RE: [PHP] Nasty DoS in PHP > Very odd indeed. Well, here's my setup: > Windoze2K > PHP 4.1.2 > Apache 1.3.something > Accessing it via IE 6.0, although this should not have any bearing on > anything > > I'

Re: [PHP] Nasty DoS in PHP | Windows only?

Just catching up on my emails and saw this thread. Just a note that it didn't happen under FreeBSD 4.5-R p3 PHP 4.1.2 (Apache module) 386M Ram, PIII 450 box The script died after the max_time setting, and apache's children returned back to their happy go lucky nature all by themselves... Billy

Re: [PHP] Nasty DoS in PHP | Windows only?

Actually, it occurs on Solaris as well. I just coded up the script, and it brought my server to its knees, though I was able to break it before it hanged hard. My configuration: * Solaris 8 108528-12 * PHP 4.1.1 as an executable (didn't try through Apache) * 512mb ram, 1 @ 440MHx UltraSP

Re: [PHP] Nasty DoS in PHP

Message- > From: Jason Soza [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 12:10 AM > To: [EMAIL PROTECTED] > Subject: RE: [PHP] Nasty DoS in PHP > > Mine produced the same error message as yours, Jason, but the memory and CPU > usage continued until I hit the &#x

RE: [PHP] Nasty DoS in PHP

-Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 12:10 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP Mine produced the same error message as yours, Jason, but the memory and CPU usage continued until I hit the 'stop'

RE: [PHP] Nasty DoS in PHP | Windows only?

> I know what you are saying. I've taken down apache on win32 > with setcookie [snip] > I'm pretty sure they ran PHP on apache, not IIS. Maybe this > problem is only with the win32 version of the PHP module. Yep, apparently I can't read. Apache, IIS, same header() probs. > Nonetheless, a bug i

Re: [PHP] Nasty DoS in PHP | Windows only?

- Original Message - From: "Jason Murray" <[EMAIL PROTECTED]> To: "'Jason Soza'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 11:36 PM Subject: RE: [PHP] Nasty DoS in PHP | Windows only? > > I'd be

RE: [PHP] Nasty DoS in PHP | Windows only?

> I'd be interested in knowing your versions and the versions > of the first guy that posted about this. Maybe he has the same > setup as me, or close enough, but both of us are different > from you. Actually, I just thought about it - maybe you guys are both running it on Windows (shame on y

RE: [PHP] Nasty DoS in PHP

ader("A") } into any of my scripts, nor was I ever planning on it! :) -Original Message- From: Jason Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 10:13 PM To: 'Jason Soza'; [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP > Mine produced t

RE: [PHP] Nasty DoS in PHP

> Mine produced the same error message as yours, Jason, but the memory > and CPU usage continued until I hit the 'stop' button on the browser. > It seemed to have overridden both time and memory limits, as it had > racked up 320 megs of my RAM by the time I stopped it. It certainly didn't do t

RE: [PHP] Nasty DoS in PHP

al Message- From: Jason Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 9:57 PM To: 'CC Zona'; [EMAIL PROTECTED] Subject: RE: [PHP] Nasty DoS in PHP > So that was both as an Apache mod and a CGI binary? Sounds like it's > reproducible. Running as an Apach

RE: [PHP] Nasty DoS in PHP

> So that was both as an Apache mod and a CGI binary? Sounds like it's > reproducible. Running as an Apache module here, it terminated as expected at 30 seconds. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Jason Soza) wrote: > Interesting, check out my apache error log: > [Wed Apr 17 18:35:53 2002] [error] PHP Fatal error: Maximum execution time > of 30 seconds exceeded in d:\html\loop.asp on line 7 LOL. You use *.asp for your PHP scripts? Wou

RE: [PHP] Nasty DoS in PHP

> A big "if", since the OP has not yet verified that the time limit and > memory limit are in effect at the outset of the loop as supposed. > Someone else want to test for this scenario? Someone, that is, who > can deliberately bring down their server without getting kicked > off permanently

RE: [PHP] Nasty DoS in PHP

. Jason -Original Message- From: CC Zona [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 7:04 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP Do you have a PHP binary compiled too? If Apache can be taken out of the equation and the script still exceed memory/time

Re: [PHP] Nasty DoS in PHP

I crashed a server yesterday from PHP code that was trying to create an image with GD. The same scenerio happened in that my entire box froze. No keyboard control, no mouse, no CTRL-ALT-F2, nothing. This was also due to a header() in an infinite loop. From my perspective I thought that was bad

Re: [PHP] Nasty DoS in PHP

> From: Martin Towell <[EMAIL PROTECTED]> > Date: Wednesday, April 17, 2002 6:37 pm > Subject: RE: [PHP] Nasty DoS in PHP > > > Is that memory usage used by PHP or apache? > > > > -Original Message- > > From: Jason Soza [mailto:[EMAIL PROTECT

RE: [PHP] Nasty DoS in PHP

It shows the memory and CPU time being used by apache. I have PHP installed as a module, that may be why. (?) Jason Soza - Original Message - From: Martin Towell <[EMAIL PROTECTED]> Date: Wednesday, April 17, 2002 6:37 pm Subject: RE: [PHP] Nasty DoS in PHP > Is that memory u

RE: [PHP] Nasty DoS in PHP

Is that memory usage used by PHP or apache? -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 12:35 PM To: CC Zona Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP For what it's worth, I just ran this script on my server

Re: [PHP] Nasty DoS in PHP

hink so. A bug? Possibly. Bad coding? Yep. :) Jason Soza - Original Message - From: CC Zona <[EMAIL PROTECTED]> Date: Wednesday, April 17, 2002 6:21 pm Subject: Re: [PHP] Nasty DoS in PHP > In article <p05100304b8e3cee5ab0c@[210.49.237.250]>, > [EMAIL PROTECTED] (Richar

RE: [PHP] Nasty DoS in PHP

[snip] > > If this allows a DoS attack, then this is a very real security problem. > > Why should it? Even if there is a verifiable bug allowing time/memory > limits to be exceeded when header() goes into an infinite loop, how could > someone exploit this from the outside? If a scripter is l

Re: [PHP] Nasty DoS in PHP

In article , [EMAIL PROTECTED] (Richard Archer) wrote: > At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote: > > >This is a rather meaningless thread. It is a > >security issue that is displaced. > > If PHP is not honoring the time limit and memory usage

Re: [PHP] Nasty DoS in PHP

At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote: >This is a rather meaningless thread. It is a >security issue that is displaced. If PHP is not honoring the time limit and memory usage directives when outputting headers, then this is a bug in PHP. If this allows a DoS attack, then this is a v

Re: [PHP] Nasty DoS in PHP

Guys: This is a rather meaningless thread. It is a security issue that is displaced. Anybody can take down his own machine with a couple of lines of code. It is not the (entire) responsibility of the language to protect the machine from resource exhaustion or whatever. In security, you have t

RE: [PHP] Nasty DoS in PHP

Cox Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP You can't upload a binary file to a server and access it through a web browser. The most it will do is either show the 'source' for file or ask you to download it. Yes, this is probably not a major DoS attack..and there ar

Re: [PHP] Nasty DoS in PHP

x" <[EMAIL PROTECTED]> To: "Dustin E. Childers" <[EMAIL PROTECTED]>; "Jason Murray" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 5:28 PM Subject: RE: [PHP] Nasty DoS in PHP > so why not upload a binary file and exe

RE: [PHP] Nasty DoS in PHP

> "If the user has enough access to the server to place files on it" ? > > There are hosting places that have PHP and you can just upload the PHP > script through FTP and access it in your browser. ... in which case all you'll accomplish is taking out your own server, which is not a DoS attack.

RE: [PHP] Nasty DoS in PHP

so why not upload a binary file and execute that ? quick root-kit later and you're in. -Original Message- From: Dustin E. Childers [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:22 AM To: Jason Murray Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP "I

Re: [PHP] Nasty DoS in PHP

igitux.net/ - Original Message - From: "Jason Murray" <[EMAIL PROTECTED]> To: "'Dustin E. Childers'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 5:14 PM Subject: RE: [PHP] Nasty DoS in PHP > > It's a default PH

RE: [PHP] Nasty DoS in PHP

> It's a default PHP installation. We aren't calling set_time_limit(). > I know its an infinite loop, the point is that if a user wanted to > attack a server (happens every day) they would be able to use this > method to take the server down. But, if the user has enough access to the server to

RE: [PHP] Nasty DoS in PHP

monitored box. This isn't really an exploit, just bad coding. -Original Message- From: Dustin E. Childers [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:10 AM To: Jason Murray Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Nasty DoS in PHP It's a default PHP ins

Re: [PHP] Nasty DoS in PHP

O, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: "Jason Murray" <[EMAIL PROTECTED]> To: "'Dustin E. Childers'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 5:04 PM Subject: RE: [PHP] Nasty

RE: [PHP] Nasty DoS in PHP

> It does not stop after its execution time. Is your PHP actually configured to stop running after 30 seconds, though? Its the default, but you may have overridden it. > We have let this run for 10+ minutes to see if it would crash the > server, and it did. Is it possible you're called set_t

Re: [PHP] Nasty DoS in PHP

In article <000401c1e67b$dd64c820$2fa3f318@blackbox>, [EMAIL PROTECTED] (Dustin E. Childers) wrote: > It does not stop after its execution time. We have let this run for 10+ > minutes to see if it would crash the server, and it did. It does not affect > the person that loads the code in the brow

Re: [PHP] Nasty DoS in PHP

Security, Inc. http://www.digitux.net/ - Original Message - From: "Jason Murray" <[EMAIL PROTECTED]> To: "'Dustin E. Childers'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 4:45 PM Subject: RE: [PHP] Nasty DoS in PHP

RE: [PHP] Nasty DoS in PHP

> I have found something interesting that can kill the server. > I'm not sure if this is because of Apache or PHP. If you use > PHP to send a header() inside of a while loop, the httpd > process will begin to use massive CPU and Memory until it is > killed, or the server is killed. Here is wha

Re: [PHP] Nasty DoS in PHP

Security Administrator. CEO, Digitux Security, Inc. http://www.digitux.net/ - Original Message - From: "Rasmus Lerdorf" <[EMAIL PROTECTED]> To: "Dustin E. Childers" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 12:58 PM Subjec

Re: [PHP] Nasty DoS in PHP

Turn on the memory-limit option On Wed, 17 Apr 2002, Dustin E. Childers wrote: > Hello. > > I have found something interesting that can kill the server. I'm not sure if this is >because of Apache or PHP. If you use PHP to send a header() inside of a while loop, >the httpd process will begin to

[PHP] Nasty DoS in PHP

Hello. I have found something interesting that can kill the server. I'm not sure if this is because of Apache or PHP. If you use PHP to send a header() inside of a while loop, the httpd process will begin to use massive CPU and Memory until it is killed, or the server is killed. Here is what I