Hacker News new | comments | show | ask | jobs | submit login

Ugh, I managed to hang one of my websites by sticking that number in place of a normal integer parameter.

Apache2 (mod_php) spun at 100% cpu usage.

This suggested workaround works for me. Obviously, it's a limited bandaid, but thanks for suggesting it.

So basically you can hang (almost) any website written in PHP which expose primary keys as GET parameters?

Does this just crash the local process for that request or will it also cause problems for other requests? Anyone able to test this?

Only if it wasn't cast as an integer.

I usually do something like:

    $id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
It has to be treated as a float to be a problem, not as an int.

Only if that parameter is treated as number and not as string. And only if the php version/configuration have that bug. It seems to be a problem when converting from decimal string to number.

In Windows it leaves a zombie resource putting the cpu to 100%, so it doesn't seems to be a nice thing...

It's going to be a very, very small subset of websites running PHP that could be hung...

- Must be one of the PHP 5.3.3 versions with the bug, where very very few web hosts are running such a recent version (5.0, 5.1 and 5.2 branches are much more common)

- Must be a 32-bit version, no bug in 64-bit

- The PHP program must try to use the input as a number

It seems to me that not only the PHP versions 5.3.3 are vulnerable. I have successfully crashed an older version of PHP 5.0.3.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact