lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200602201330.42615.ewiget@rhpstudios.com>
Date: Mon, 20 Feb 2006 13:30:35 -0500
From: Ed Wiget <ewiget@...studios.com>
To: bugtraq@...urityfocus.com
Subject: how to crash apache/php in cpanel

I am really not sure if this is a cpanel, php, or apache problem but will let 
others find out.  This is the entire reason I am supplying this 
information....

In a recent post concerning a mambo error message:
Warning: ob_start(): output handler 'ob_gzhandler' cannot be used after 
'URL-Rewriter' in /home/xxx/public_html/xxx/includes/mambo.php on line 2771

http://forum.mamboserver.com/showthread.php?t=70555

There was a recommended fix by a 3rd party that contains this code:

original:
if ( extension_loaded('zlib') ) {
ob_start( 'ob_gzhandler' );
return;

Changing this to: 
if ( extension_loaded('xzlib') ) {
ob_start( 'ob_gzhandler' );
return;

Of course this doesn't solve the underlying problem which simply requires 
turning off gzip compression in mambo or turning off zlib compression when 
using the one in mambo....but it does have a pretty weird effect if you try 
it.

Applying this change to a cpanel web site will cause the web site to stop 
responding for all php web sites on the server.  Changing the line of code 
back to the original does not help for that specific web site.  I don't have 
root access to the server to find out what crashed or to restart the 
services, or to even take a further look at it.....

Looking at services through the cpanel account shows httpd failed as soon as 
the page is loaded but other static content on the web server for other 
domains was working fine.

Server Specs:
Operating system  	FreeBSD
Kernel version 	4.7-RELEASE
Machine Type 	i386
Apache version 	1.3.31 (Unix)
PERL version 	5.8.2
PHP version 	4.3.4
MySQL version 	4.0.13
cPanel Build 	10.8.1-CURRENT 112

Here is another post I made concerning this issue (the last line of this 
post):
http://forum.mamboserver.com/showthread.php?p=335376#post335376

I never notified anyone, because this is really incomplete, I don't have the 
resources to take this further, and I wouldn't know who to notify at this 
point.

-- 
Ed Wiget

"I'd crawl over a million acres of 'Visual This++' and 'Integrated 
Development That' to get to gcc, Emacs, and gdb"

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ