[21639] in bugtraq
Re: [BUGTRAQ] PHP local DoS: self-fetching throught HTTP
daemon@ATHENA.MIT.EDU (Joe Harris)
Thu Jul 19 12:40:25 2001
Date: Wed, 18 Jul 2001 11:33:43 -0700 (PDT)
From: Joe Harris <cdi@thewebmasters.net>
To: Ilya Teterin <alienhard@mail.ru>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20010718132901.27868.qmail@securityfocus.com>
Message-ID: <Pine.LNX.3.95.1010718100918.14504B-100000@animal.blarg.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On 18 Jul 2001, Ilya Teterin wrote:
> PHP scripting allows "opening" files througth HTTP:
>
> $file=fopen("http://host/page.html","r");
I would dearly love to see the method used to test for this condition,
since, (and someone slap me if I'm wrong) this is a Turing Machine Halting
problem and is impossible to test for.
> If script opening itself throught HTTP, it will result in
> DoS attack:
What is it with the recent proliferation of "vulnerabilities" that are
painfully self-evident, or worse, dependent upon write-access previously
being deliberately granted to malicious individuals? (ie, Customers)
Any programming language or shell environment can be used to create an
infinite loop. If server resource limits permit, such loops can tear apart
the machine. If a would-be DoS attacker has write access or shell access
to the machine, the only thing that can save you are strict resource
limits.
In Perl: http://victim/loop.cgi
#!/usr/bin/perl
use LWP::Simple;
$content = get("http://victim/loop.cgi");
... * poof * ...
In sh or bash: (Now here's an obscure fork-bomb...)
:(){ :|:&};:
In MSDOS batch file:
rem Exponential file size creation.
echo Hi There >> dummy.txt
@ECHO OFF
:SAYIT
type dummy.txt >> dummy.txt
GOTO SAYIT
We can go on like this forever of course - just like these loops can if
not stomped on by the careful application of service and user limits.
CDI
--
The Web Master's Net
http://www.thewebmasters.net/
Today's Excuse:
vapors from evaporating sticky-note adhesives
