Bugtraq mailing list archives
PHP local DoS: self-fetching throught HTTP
From: Ilya Teterin <alienhard () mail ru>
Date: 18 Jul 2001 13:29:01 -0000
PHP scripting allows "opening" files througth HTTP: $file=fopen("http://host/page.html","r"); If script opening itself throught HTTP, it will result in DoS attack: as much as possible HTTP connections and great number of executing PHP scripts. Timeout settings are useless. Possible solutions: - disable HTTP connections from local host - limit number of connections from one host Samlpe exploit: put "script.php" to www.freehosting.domain and make some HTTP request to it. ==begin of script.php== <?php $file=fopen "http://www.freehosting.domain/script.php" ,"r"); ?> ===end of script.php=== Another way to use PHP script self-fetching is creating infinite-living scripts on server: before execution timeout exceed, script "opening" itself throught HTTP and continue its execution. buggzy, Nerf Security Group www.nerf.ru
Current thread:
- PHP local DoS: self-fetching throught HTTP Ilya Teterin (Jul 18)
- Re: [BUGTRAQ] PHP local DoS: self-fetching throught HTTP Joe Harris (Jul 19)