php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15153 Php starts writing log in an infinite loop resulting is system DoS
Submitted: 2002-01-21 16:23 UTC Modified: 2002-06-18 10:40 UTC
From: mikael dot jokela at ursa dot fi Assigned:
Status: Not a bug Package: Directory function related
PHP Version: 4.1.1 OS: Linux 2.2.20 (Redhat 5.2)
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mikael dot jokela at ursa dot fi
New email:
PHP Version: OS:

 

 [2002-01-21 16:23 UTC] mikael dot jokela at ursa dot fi
A piece of code that you have at
http://www.php.net/manual/en/function.readdir.php
leads to system DoS with php-4.1.1, Linux 2.2.20,
apache 1.3.22:

Example 1. List all files in the current directory

<?php
$handle=opendir('.');
echo "Directory handle: $handle\n";
echo "Files:\n";
while (false !== ($file = readdir($handle))) { 
    echo "$file\n";
}
closedir($handle); 
?>
 
When this code is executed, php enters a loop writing this line to the log file an infinite number of times: 
[date] PHP Warning: Supplied argument is not a valid Directory resource in /path/to/script.php on line 5.
Httpd uses all processor time and finally fills the partition in which the log file is located.

The problem seems to be the dot in the function call because the script works normally if the dot is replaced with an absolute path name.

My apacle 1.3.22 web server includes the following modules:
mod_ssl 2.8.5, mod_perl 1.26, php-3.0.18, php-4.1.1. Php-4.1.1 has been compiled as a dynamic module with the following options: --enable-versioning --with-apxs --with-mysql --with-xml --enable-calendar --enable-memory-limit --enable-session --enable-safe-mode --with-openssl --enable-bcmath --with-gd

I also tried this with php-4.0.6 and the result is the same. 

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-22 14:21 UTC] sander@php.net
Reclassified as a documentation problem.
 [2002-02-24 07:48 UTC] nohn@php.net
Fixed this in the documentation, but I still think it's an issue that should be fixed in the PHP-source
 [2002-06-18 06:15 UTC] derick@php.net
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.


 [2002-06-18 10:40 UTC] mikael dot jokela at ursa dot fi
Well, using this scenario a local user can circumvent his/her disk quota and fill up the partiotion in which the
log file is located. This is likely to DoS the web server host! I do think this is a bug in PHP. I got around this problem by configuring PHP to use syslog for logging. Syslog is intelligent enough not to allow multiple copies of the same line in the log file so the log file won't get so big. I haven't tested recent PHP version so I don't know whether this vulnerability is still present, though.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC