Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:84686 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38140 invoked from network); 13 Mar 2015 15:02:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Mar 2015 15:02:01 -0000 Authentication-Results: pb1.pair.com header.from=php@bof.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=php@bof.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain bof.de designates 80.242.145.70 as permitted sender) X-PHP-List-Original-Sender: php@bof.de X-Host-Fingerprint: 80.242.145.70 mars.intermailgate.com Received: from [80.242.145.70] ([80.242.145.70:38117] helo=mars.intermailgate.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5F/C6-32208-7EBF2055 for ; Fri, 13 Mar 2015 10:02:00 -0500 Received: (qmail 28450 invoked by uid 1009); 13 Mar 2015 16:01:56 +0100 Received: from 192.109.53.146 by mars (envelope-from , uid 89) with qmail-scanner-1.25-st-qms (clamdscan: 0.96.2/20187. spamassassin: 3.3.1. perlscan: 1.25-st-qms. Clear:RC:0(192.109.53.146):SA:0(1.3/8.0):. Processed in 4.223256 secs); 13 Mar 2015 15:01:56 -0000 X-Spam-Status: No, hits=1.3 required=8.0 X-Spam-Level: + X-Antivirus-MYDOMAIN-Mail-From: php@bof.de via mars X-Antivirus-MYDOMAIN: 1.25-st-qms (Clear:RC:0(192.109.53.146):SA:0(1.3/8.0):. Processed in 4.223256 secs Process 28425) Received: from unknown (HELO rofl.localnet) (gmail@bof.de@192.109.53.146) by mars.intermailgate.com with AES256-SHA encrypted SMTP; 13 Mar 2015 16:01:52 +0100 To: internals@lists.php.net Date: Fri, 13 Mar 2015 16:01:51 +0100 Message-ID: <4426444.JgVMhxXZoq@rofl> User-Agent: KMail/4.14.4 (Linux/3.19.1-2.gc0946e9-desktop; KDE/4.14.4; x86_64; ; ) In-Reply-To: <3961990.KljssxxPxS@rofl> References: <3961990.KljssxxPxS@rofl> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Subject: Re: [PHP-DEV] SAPI apache2handler + pipelined HTTP request core dumps From: php@bof.de (Patrick Schaaf) On Tuesday 10 March 2015 10:26:12 Patrick Schaaf wrote: > > https://bugs.php.net/bug.php?id=68486 Meanwhile I did some more debugging, today also testing with a freshly compiled current apache 2.4.12. The issue persists. As it does not always coredump, but always uncontrollably reenters an already- deconfigured PHP interpreter, I see the potential for arbitrary remote code execution. I opened a security bug for that two days ago - no reaction. Sorry for shouting, BUT IS REALLY NOBODY HERE INTERESTED IN (non-fpm) PHP UNDER APACHE 2.4 / LINUX ?????? I don't want to go out on the internet and test whether I can randomly crash any such server, but everything I analyzed so far tells me that half of the world might be affected by this. For those who cannot be bothered to read the bug report, but have an apache 2.4 running with mod_php, could you please run the following against your server, and look for segmentation violation / coredump messages in your server logs? echo -e 'GET /foo.php HTTP/1.1\nHost: www.example.de\n\nGET /foo.php HTTP/1.1\nHost: www.example.de\n\n' | nc localhost 80 (of course, replace /foo.php with any trivial PHP script on your server, and www.example.de with your virtual host name) best regards Patrick P.S.: to anybody who now wants to tell me to just use FPM/fastCGI: save the bits, I don't want to hear that.