Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:84691 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53844 invoked from network); 13 Mar 2015 16:34:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Mar 2015 16:34:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=bostjan@a2o.si; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=bostjan@a2o.si; sender-id=pass Received-SPF: pass (pb1.pair.com: domain a2o.si designates 78.47.12.76 as permitted sender) X-PHP-List-Original-Sender: bostjan@a2o.si X-Host-Fingerprint: 78.47.12.76 portkey.s.itsis.si Received: from [78.47.12.76] ([78.47.12.76:56593] helo=portkey.s.itsis.si) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 05/99-32208-68113055 for ; Fri, 13 Mar 2015 11:34:15 -0500 Received: from undisclosed (undisclosed [127.0.0.254]) (Authenticated sender: undisclosed) by portkey.s.itsis.si (Postfix) with ESMTPSA id 8EB0D8005F for ; Fri, 13 Mar 2015 16:34:11 +0000 (UTC) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at portkey Received: by ieclw3 with SMTP id lw3so114291839iec.2 for ; Fri, 13 Mar 2015 09:34:10 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.107.167.145 with SMTP id q139mr86866086ioe.16.1426264446989; Fri, 13 Mar 2015 09:34:06 -0700 (PDT) Received: by 10.50.250.179 with HTTP; Fri, 13 Mar 2015 09:34:06 -0700 (PDT) In-Reply-To: <4426444.JgVMhxXZoq@rofl> References: <3961990.KljssxxPxS@rofl> <4426444.JgVMhxXZoq@rofl> Date: Fri, 13 Mar 2015 17:34:06 +0100 Message-ID: To: Patrick Schaaf Cc: PHP Internals List Content-Type: multipart/alternative; boundary=001a11429990b8058805112e11d4 Subject: Re: [PHP-DEV] SAPI apache2handler + pipelined HTTP request core dumps From: bostjan@a2o.si (Bostjan Skufca) --001a11429990b8058805112e11d4 Content-Type: text/plain; charset=UTF-8 I can confirm the behaviour. Even if I do not change script names and/or HTTP host. b. On 13 March 2015 at 16:01, Patrick Schaaf wrote: > On Tuesday 10 March 2015 10:26:12 Patrick Schaaf wrote: > > > > https://bugs.php.net/bug.php?id=68486 > > Meanwhile I did some more debugging, today also testing with a freshly > compiled current apache 2.4.12. The issue persists. > > As it does not always coredump, but always uncontrollably reenters an > already- > deconfigured PHP interpreter, I see the potential for arbitrary remote code > execution. I opened a security bug for that two days ago - no reaction. > > Sorry for shouting, BUT IS REALLY NOBODY HERE INTERESTED IN (non-fpm) PHP > UNDER APACHE 2.4 / LINUX ?????? > > I don't want to go out on the internet and test whether I can randomly > crash > any such server, but everything I analyzed so far tells me that half of the > world might be affected by this. > > For those who cannot be bothered to read the bug report, but have an apache > 2.4 running with mod_php, could you please run the following against your > server, and look for segmentation violation / coredump messages in your > server > logs? > > echo -e 'GET /foo.php HTTP/1.1\nHost: www.example.de\n\nGET /foo.php > HTTP/1.1\nHost: www.example.de\n\n' | nc localhost 80 > > (of course, replace /foo.php with any trivial PHP script on your server, > and > www.example.de with your virtual host name) > > best regards > Patrick > > P.S.: to anybody who now wants to tell me to just use FPM/fastCGI: save the > bits, I don't want to hear that. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --001a11429990b8058805112e11d4--