PHP :: Bug #18726 :: Empty Argument List Causes PHP to Hang

Bug #18726	Empty Argument List Causes PHP to Hang
Submitted:	2002-08-03 15:04 UTC	Modified:	2002-08-03 16:49 UTC
From:	mattmurphy at kc dot rr dot com	Assigned:
Status:	Not a bug	Package:	Performance problem
PHP Version:	4.2.2	OS:	Win32
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mattmurphy at kc dot rr dot com
New email:
PHP Version:		OS:

New Comment:

[2002-08-03 15:04 UTC] mattmurphy at kc dot rr dot com

Affected: PHP 4.2.0/4.2.2 for Win32 confirmed

Problem: An issue in PHP's CGI EXE (possibly other modules, but the EXE is known to be susceptible) can cause it to hang if it is given a command line like this:

C:\PHP>php
[No Output - PHP hangs]
^C
C:\PHP>

cgi.force_redirect being enabled has *no effect* on the result of this command -- PHP hangs regardless.

With the rare config of a CGI/SAPI on Apache, a certain type of request could be used to do this remotely:

http://apache-site/php/php.exe

If this is done repeatedly, it could starve server resources.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-08-03 15:17 UTC] sander@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

[2002-08-03 16:09 UTC] mattmurphy at kc dot rr dot com

So, the PHP team is telling me now that something that causes a product to hang, and can be exploited remotely isn't even a *bug*?

[2002-08-03 16:17 UTC] eru@php.net

No, this is not a bug, as you wouldn't put php.exe in the cgi-bin directory in the first place. Secondly, when called without arguments, php doesn't "hang", but waits for input from the stdin.

[2002-08-03 16:17 UTC] eru@php.net

Forgot to set the status.

[2002-08-03 16:17 UTC] edink@php.net

PHP will by default read its scripts from STDIN and does not hang. Try typing in something and press Ctrl-Z and you will see PHP executing the "script".

Anyway, this is not a correct place for user questions. Please visit http://www.php.net/support for more information.

[2002-08-03 16:34 UTC] mattmurphy at kc dot rr dot com

This *is* an issue, even if it is not a hang problem -- it does appear that way unless something is input via STDIN.  SecurityFocus Bug ID #5280 shows how this can be used to cause a DDoS on PHP/Apache pairs...

Your own install instructions call for a "/php/" alias to be added on Apache, thus allowing direct calls to the binary.  If several of these calls were made, a lengthy period of time would pass before CGI could be used again on the server.

PHP should at least add a timeout while waiting for STDIN input, so this is mitigated when used remotely.

[2002-08-03 16:49 UTC] edink@php.net

Installation instructions also mention that installing PHP in this way is not very secure. The problem here is that Apache doesn't allow php to be configured as a cgi interpreter outside scripts directory. Again this is *not* a PHP bug.

You should configure your Apache web server to use PHP as a module since in that way you avoid the secuirty problems, and increase the performance at the same time.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 18:01:29 2024 UTC