|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18726 Empty Argument List Causes PHP to Hang
Submitted: 2002-08-03 15:04 UTC Modified: 2002-08-03 16:49 UTC
From: mattmurphy at kc dot rr dot com Assigned:
Status: Not a bug Package: Performance problem
PHP Version: 4.2.2 OS: Win32
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mattmurphy at kc dot rr dot com
New email:
PHP Version: OS:


 [2002-08-03 15:04 UTC] mattmurphy at kc dot rr dot com
Affected: PHP 4.2.0/4.2.2 for Win32 confirmed

Problem: An issue in PHP's CGI EXE (possibly other modules, but the EXE is known to be susceptible) can cause it to hang if it is given a command line like this:

[No Output - PHP hangs]

cgi.force_redirect being enabled has *no effect* on the result of this command -- PHP hangs regardless.

With the rare config of a CGI/SAPI on Apache, a certain type of request could be used to do this remotely:


If this is done repeatedly, it could starve server resources.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-03 15:17 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at
 [2002-08-03 16:09 UTC] mattmurphy at kc dot rr dot com
So, the PHP team is telling me now that something that causes a product to hang, and can be exploited remotely isn't even a *bug*?
 [2002-08-03 16:17 UTC]
No, this is not a bug, as you wouldn't put php.exe in the cgi-bin directory in the first place. Secondly, when called without arguments, php doesn't "hang", but waits for input from the stdin.

 [2002-08-03 16:17 UTC]
Forgot to set the status.
 [2002-08-03 16:17 UTC]
PHP will by default read its scripts from STDIN and does not hang. Try typing in something and press Ctrl-Z and you will see PHP executing the "script".

Anyway, this is not a correct place for user questions. Please visit for more information.
 [2002-08-03 16:34 UTC] mattmurphy at kc dot rr dot com
This *is* an issue, even if it is not a hang problem -- it does appear that way unless something is input via STDIN.  SecurityFocus Bug ID #5280 shows how this can be used to cause a DDoS on PHP/Apache pairs...

Your own install instructions call for a "/php/" alias to be added on Apache, thus allowing direct calls to the binary.  If several of these calls were made, a lengthy period of time would pass before CGI could be used again on the server.

PHP should at least add a timeout while waiting for STDIN input, so this is mitigated when used remotely.
 [2002-08-03 16:49 UTC]
Installation instructions also mention that installing PHP in this way is not very secure. The problem here is that Apache doesn't allow php to be configured as a cgi interpreter outside scripts directory. Again this is *not* a PHP bug.

You should configure your Apache web server to use PHP as a module since in that way you avoid the secuirty problems, and increase the performance at the same time.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 24 03:01:28 2024 UTC