php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14707 A very serious PHP bug that can turn down almost any web server !!!
Submitted: 2001-12-26 19:00 UTC Modified: 2002-01-12 19:17 UTC
From: sorin at sorin dot tv Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 4.1.0 OS: Any OS, any PHP version
Private report: No CVE-ID: None
 [2001-12-26 19:00 UTC] sorin at sorin dot tv
  I discovered the bug when I tried to make a script that creates new PHP processes that runs at the same time. Save the following script in http://127.0.0.1/a.php, launch a.php and close the browser window:

<?$a=fsockopen("127.0.0.1", 80,$b,$c,99);fputs($a,"GET /a.php / HTTP/1.1\r\nConnection: Keep-Alive\r\n\r\n");while(1);?>

  Even if you have set execution script time for only several seconds, my script will run forever and creates a huge number of instances of itself that will create more instances. Practicaly the code above is a 120 bytes php virus that can turn down a web server in minutes.

  The idea is that my script open a socket connection on port 80 on the web server and sends command "get file a.php" and then waits until its execution time gets end. Meanwhile, the web server tries to return a.php so it executes it first so 2 instances of a.php will exists. The new instance will open a new socket connection and so on. 

  My script can be modified to this (a.php):
<?while(1){$a=fsockopen("127.0.0.1", 80,$b,$c,99);fputs($a,"GET /a.php / HTTP/1.1\r\nConnection: Keep-Alive\r\n\r\n");}?>

and then every new instance of the script will launch as many instances it can until it get ended by the maximum execution time end.

  To fix the bug, when a PHP script ends, naturaly or forced, like you unset all variables of the script, in the same way, you have to close all opened sockets of the script and NOT let them pending. This will only reduce the effects of the script

  practicaly, if I make a script that registers 100 accounts or more at www.MyCgiServer.com or at www.f2s.com and run an instance of a.php in every account, that will mean the turning down of those web servers.

  Conclusion: it is possible to build a php worm virus. Also it is possible to make a script that runs forever, no matter what maximum execution time is set. When running on my local Apache server, it consumes 100% of my sistem's resources and my HDD is makeing a terrible noise all time.

  Author and copiright of the bug: Sorin Facaoaru -  sorin@sorin.tv, www.sorin.tv

  Regards.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-26 19:04 UTC] daniel@php.net
well, DoS is nothing new. thanks for re-descovering it. this is not a PHP bug (same problem applies to virtually any language: C, Python, Perl ..). it's a general security issue. you might solve it by limiting the amount of connections for an IP.

Kind Regards,
  Daniel Lorch
 [2001-12-26 19:06 UTC] daniel@php.net
I forgot to /bogus
 [2001-12-26 19:08 UTC] daniel@php.net
here's another discovery:

while(true)
  mail("sorin@sorin.tv", "this is a mailbomb", "blub");


 [2002-01-12 16:19 UTC] sorin at sorin dot tv
You must design the PHP scripting language in such way so everytime a script ends (naturaly or forced), the PHP server must close all open socket connections of the ending script by sending a TCP closing request (FIN) to every opened socket.  Also, the server administrator should have the power to set the maximum simultaneous socket connections for each server account.
  Sorin Facaoaru - Sorin Media Inc.
 [2002-01-12 18:24 UTC] sorin at sorin dot tv
By "limiting the amount of connections for an IP" as you said is NOT a solution. Let's say my script intergogates a database or open a file on the web like $a=file("http://example.com/news.txt"); then if you set the maximum no. of connections and my site has many visitors (several a sec), then your solution is not reliable. I belive a better solution is the one above, plus even if you set the max no of connections to 2, I can make the script above run forever in 2 instances, even if you close your browser and maximum execution time is only one sec. Just tested it.
  Sorin Facaoaru - Sorin Media Inc.
 [2002-01-12 19:17 UTC] daniel@php.net
I already told you by private mail, sorin, that this is the responsibility of the PROGRAMMER, not the language itself. your request sounds like "please remove unlink() from PHP, it allows people to destroy data". It's YOUR responsibility to develop a site structure which doesn't take down your whole server just because more than 10 people visit it at the same time.

Feel free to discuss this topic with me privately. It doesn't belong here at all.

Kind Regards,
  Daniel Lorch
 [2003-12-24 19:37 UTC] jokko at yahoo dot com
I was trying a feature that creates several threads at www.jokko.com and I think you only have this type of problem, if you create a very small script on a very fast server.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 01 01:01:28 2024 UTC