php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #33313 I found a flaw in the ISAPI module
Submitted: 2005-06-11 22:32 UTC Modified: 2005-06-13 10:38 UTC
From: trustpunk at hotmail dot com Assigned:
Status: Closed Package: IIS related
PHP Version: 5.0.4, 4.3.11 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2005-06-11 22:32 UTC] trustpunk at hotmail dot com 
Description:
------------
When running PHP as an ISAPI module , you can remotely crash the web server by creating a specially crafted URL. This bug was discovered by accident and I actually refer it as a DDoS
type of attack on the web server. Please fix this!

PHP versions effected so far: v4.3.11 , v5.0.4



Reproduce code:
---------------
Using a URL like this will crash the web server , only ISAPI is effected.

http://www.your-site.com/script.php/num=10101

I discovered this when writing a Binary to Decimal converter.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-06-12 01:08 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2005-06-12 01:35 UTC] trustpunk at hotmail dot com 
Im proud to say that the Bug is fixed in that release :-)

Make sure you apply that to v4.3 also. LateR!
 [2005-06-13 01:41 UTC] trustpunk at hotmail dot com 
I use PHP v4 , I tried the latest snapshot of PHP4 and the
bug still exists , it would bne nice if you could fix it.

Snapshot: v4.4.x-dev [June 12, 2005]
 [2005-06-13 10:38 UTC] sniper@php.net 
Won't fix in PHP 4. (that would require too big changes and as we're focused on PHP 5 anyway, this is yet another reason to start using PHP)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 04 22:01:33 2024 UTC