PHP :: Bug #15153 :: Php starts writing log in an infinite loop resulting is system DoS

Bug #15153	Php starts writing log in an infinite loop resulting is system DoS
Submitted:	2002-01-21 16:23 UTC	Modified:	2002-06-18 10:40 UTC
From:	mikael dot jokela at ursa dot fi	Assigned:
Status:	Not a bug	Package:	Directory function related
PHP Version:	4.1.1	OS:	Linux 2.2.20 (Redhat 5.2)
Private report:	No	CVE-ID:	None

View Developer Edit

[2002-01-21 16:23 UTC] mikael dot jokela at ursa dot fi

A piece of code that you have at
http://www.php.net/manual/en/function.readdir.php
leads to system DoS with php-4.1.1, Linux 2.2.20,
apache 1.3.22:

Example 1. List all files in the current directory

<?php
$handle=opendir('.');
echo "Directory handle: $handle\n";
echo "Files:\n";
while (false !== ($file = readdir($handle))) { 
    echo "$file\n";
}
closedir($handle); 
?>
 
When this code is executed, php enters a loop writing this line to the log file an infinite number of times: 
[date] PHP Warning: Supplied argument is not a valid Directory resource in /path/to/script.php on line 5.
Httpd uses all processor time and finally fills the partition in which the log file is located.

The problem seems to be the dot in the function call because the script works normally if the dot is replaced with an absolute path name.

My apacle 1.3.22 web server includes the following modules:
mod_ssl 2.8.5, mod_perl 1.26, php-3.0.18, php-4.1.1. Php-4.1.1 has been compiled as a dynamic module with the following options: --enable-versioning --with-apxs --with-mysql --with-xml --enable-calendar --enable-memory-limit --enable-session --enable-safe-mode --with-openssl --enable-bcmath --with-gd

I also tried this with php-4.0.6 and the result is the same.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-01-22 14:21 UTC] sander@php.net

Reclassified as a documentation problem.

[2002-02-24 07:48 UTC] nohn@php.net

Fixed this in the documentation, but I still think it's an issue that should be fixed in the PHP-source

[2002-06-18 06:15 UTC] derick@php.net

Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.

[2002-06-18 10:40 UTC] mikael dot jokela at ursa dot fi

Well, using this scenario a local user can circumvent his/her disk quota and fill up the partiotion in which the
log file is located. This is likely to DoS the web server host! I do think this is a bug in PHP. I got around this problem by configuring PHP to use syslog for logging. Syslog is intelligent enough not to allow multiple copies of the same line in the log file so the log file won't get so big. I haven't tested recent PHP version so I don't know whether this vulnerability is still present, though.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Feb 10 08:01:28 2025 UTC