php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18726 Empty Argument List Causes PHP to Hang
Submitted: 2002-08-03 15:04 UTC Modified: 2002-08-03 16:49 UTC
From: mattmurphy at kc dot rr dot com Assigned:
Status: Not a bug Package: Performance problem
PHP Version: 4.2.2 OS: Win32
Private report: No CVE-ID: None
 [2002-08-03 15:04 UTC] mattmurphy at kc dot rr dot com
Affected: PHP 4.2.0/4.2.2 for Win32 confirmed

Problem: An issue in PHP's CGI EXE (possibly other modules, but the EXE is known to be susceptible) can cause it to hang if it is given a command line like this:

C:\PHP>php
[No Output - PHP hangs]
^C
C:\PHP>

cgi.force_redirect being enabled has *no effect* on the result of this command -- PHP hangs regardless.

With the rare config of a CGI/SAPI on Apache, a certain type of request could be used to do this remotely:

http://apache-site/php/php.exe

If this is done repeatedly, it could starve server resources.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-03 15:17 UTC] sander@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
 [2002-08-03 16:09 UTC] mattmurphy at kc dot rr dot com
So, the PHP team is telling me now that something that causes a product to hang, and can be exploited remotely isn't even a *bug*?
 [2002-08-03 16:17 UTC] eru@php.net
No, this is not a bug, as you wouldn't put php.exe in the cgi-bin directory in the first place. Secondly, when called without arguments, php doesn't "hang", but waits for input from the stdin.

 [2002-08-03 16:17 UTC] eru@php.net
Forgot to set the status.
 [2002-08-03 16:17 UTC] edink@php.net
PHP will by default read its scripts from STDIN and does not hang. Try typing in something and press Ctrl-Z and you will see PHP executing the "script".

Anyway, this is not a correct place for user questions. Please visit http://www.php.net/support for more information.
 [2002-08-03 16:34 UTC] mattmurphy at kc dot rr dot com
This *is* an issue, even if it is not a hang problem -- it does appear that way unless something is input via STDIN.  SecurityFocus Bug ID #5280 shows how this can be used to cause a DDoS on PHP/Apache pairs...

Your own install instructions call for a "/php/" alias to be added on Apache, thus allowing direct calls to the binary.  If several of these calls were made, a lengthy period of time would pass before CGI could be used again on the server.

PHP should at least add a timeout while waiting for STDIN input, so this is mitigated when used remotely.
 [2002-08-03 16:49 UTC] edink@php.net
Installation instructions also mention that installing PHP in this way is not very secure. The problem here is that Apache doesn't allow php to be configured as a cgi interpreter outside scripts directory. Again this is *not* a PHP bug.

You should configure your Apache web server to use PHP as a module since in that way you avoid the secuirty problems, and increase the performance at the same time.



 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Nov 18 21:01:37 2019 UTC