SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Apache Vendors:   Apache Software Foundation
Apache Can Be Crashed By PHP Code Invoking Nested Remote Sockets
SecurityTracker Alert ID:  1010674
SecurityTracker URL:  http://securitytracker.com/id/1010674
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 12 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): Apache 2.0.49 (Win32) with PHP 5.0.0 RC2
Description:   Paul Brereton reported a denial of service vulnerability in the Apache web server when running with PHP. A local user can cause denial of service conditions on the web server.

It is reported that a local user can write PHP code that, when invoked by a remote user via the Apache web server, will cause the Apache web server to become unavailable and eventually crash.

PHP code that invokes certain functions such as fopen and fsockopen in an endless loop can trigger the flaw, even when the PHP timeout is set to 30 seconds, the report said.

A demonstration exploit example ('loop.php') is provided:

<?
fopen("http://[target]/loop.php","r");
?>
Impact:   A local user (or a remote authenticated user with PHP upload privileges on the target system) can cause the target web service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Sat, 15 May 2004 12:13:04 +0100
Subject:  Denial of service.





Author: Paul Brereton CISSP

E-Mail : paul.brereton@citigroup.com <mailto:paul.brereton@citigroup.com>



Software Versions : PHP5.0.0 RC2, Apache 2.0.49(Win32).



Vulnerability Title : PHP / Apache Denial of Service.



Description:



PHP has many functions available which enable it to connect to remote
sites to retrieve HTML such as fopen, fsockopen and some third pary
libraries such as the popular curl. Many ISP’s allow at least one or
more of these functions including some free webpage providers. By
creating an endless loop using these functions is possible and even with
the script timeout set to 30 seconds it is very easy to create a Denial
of Service of both PHP and the webserver itself (In this case Apache)
where the webserver will either not serve any more requests and after a
period of time will crash. A similar scenario may be possible using
other languages but is untested.



How to re-create the denial of service:



Create a file called for example : loop.php containing the following code:



<?

fopen("http://127.0.0.1/loop.php","r");

?>



replacing the webserver location to the place where you have uploaded
the script.



Then all you have to do is to open the page in a webbrowser. This will
render Apache unable to serve any streams and will eventually crash the
process.











Regards,





Paul Brereton.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC