Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

PHP-FPM and PHP-CGI - Denial of Service POC

From: Vinny Troia <vinny () nightlionsecurity com>
Date: Mon, 5 May 2014 17:56:08 -0500
When running under Apache or NGINX servers, the default (and/or commonly accepted) configurations of PHP-FPM and 
PHP-CGI (mod_fcgi) are easily susceptible to denial of service attacks. 

This attack effects Apache or NGINX web servers that handle dynamic PHP content using either PHP-CGI or PHP-FPM (which 
includes WordPress websites). In addition, the requests made by the attack will continue to keep the server’s resources 
in use far past the end of the attack. In the case where PHP-CGI is in use, the Apache processes will spawn and max out 
based on the serverLimit setting. It will take the web server a considerable amount of time to recover from this event. 

It is also important to note that this attack has the same premise as Slowloris. The main difference is that Slowloris 
focuses on eating up HTTP (apache) connections, while this attack focuses on eating up PHP-CGI or PHP-FPM connections 
(within either Apache or NGINX). 

Additional information and POC script download here: 
https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: