| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 May 2008 08:59:07 +0200 From: Juan Miguel - Prisma Virtual - <jmiguel@...smavirtual.com> Cc: bugtraq@...urityfocus.com Subject: Re: function sleep() in all versions of PHP Mark Sanders escribió: > This vulnerability is not per se a vulnerability but a annoyance that > has been dealt with in many ways. > > It is quite common to not let any process on a web server run longer > then a specified time. This is usually made possible by some trivial > shell scripting that checks the running time of certain processes. > > This annoyance is also not limited to PHP. Any scripting language that > has the ability to execute something with the means of system() can > create and call a script that uses memory and waits indefinitely. > > This is also an annoyance that will not be seen as a bug or will be > "fixed" because it would leave the language almost useless. Although > some do attempt to fix this by disabling all possible functions that > can execute something like exec, system, eval, etc. but it is not > limited to that. The same long wait can be achieved with fsockopen or > any other stream function like fread, fwrite, etc. Even if your wait > is limited to 60 seconds you can just repeat it in a simple loop and > still maintain the very low actual cpu time usage. > > This is and has never been a security hole or threat. It will also > never be. It is just an annoyance for which many solutions are already > available. Which are the avalaible solutions ? Thanks.
Powered by blists - more mailing lists