ID: 19655
Comment by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Feedback
Bug Type: Session related
Operating System: 2.2.20
PHP Version: 4.2.3
New Comment:
I tested the php4-200209300600 snap. I still have apache segfaulting :
#0 ps_mm_destroy (data=0x83f26a8) at
/space/build/apache/php4-200209300600/ext/session/mod_mm.c:241
241 next = sd->next;
(gdb) bt
#0 ps_mm_destroy (data=0x83f26a8) at
/space/build/apache/php4-200209300600/ext/session/mod_mm.c:241
#1 0x8135606 in zm_shutdown_ps_mm (type=1, module_number=18) at
/space/build/apache/php4-200209300600/ext/session/mod_mm.c:293
#2 0x81348c4 in zm_shutdown_session (type=1, module_number=18)
at
/space/build/apache/php4-200209300600/ext/session/session.c:1511
#3 0x80e880f in module_destructor (module=0x83e2518) at
/space/build/apache/php4-200209300600/Zend/zend_API.c:1128
#4 0x80e9e47 in zend_hash_apply_deleter (ht=0x839d460, p=0x83e24e8) at
/space/build/apache/php4-200209300600/Zend/zend_hash.c:598
#5 0x80e9f59 in zend_hash_graceful_reverse_destroy (ht=0x839d460) at
/space/build/apache/php4-200209300600/Zend/zend_hash.c:664
#6 0x80e62dc in zend_shutdown () at
/space/build/apache/php4-200209300600/Zend/zend.c:512
#7 0x80cae93 in php_module_shutdown () at
/space/build/apache/php4-200209300600/main/main.c:1193
#8 0x80cae74 in php_module_shutdown_wrapper (sapi_globals=0x835b520)
at /space/build/apache/php4-200209300600/main/main.c:1170
#9 0x80c1540 in apache_php_module_shutdown_wrapper ()
#10 0x81966ce in run_cleanups ()
#11 0x8194db4 in ap_clear_pool ()
#12 0x8194e29 in ap_destroy_pool ()
#13 0x8194d8c in ap_clear_pool ()
#14 0x8194e29 in ap_destroy_pool ()
#15 0x81a38c2 in clean_parent_exit ()
#16 0x81a6593 in standalone_main ()
#17 0x81a6a93 in main ()
Previous Comments:
------------------------------------------------------------------------
[2002-09-29 20:03:03] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php4-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-latest.zip
I meant all the libraries you link with PHP and apache with.
But please try the snapshot, it's more likely not related to SSL anyway
and there were some fixes in CVS just today which should prevent this.
------------------------------------------------------------------------
[2002-09-29 17:40:18] [EMAIL PROTECTED]
> and are you 100% sure you're really compiling with 0.9.6g ?
Yes, Apache+mod_ssl are linked with a just "untagzip'ed and compiled"
openssl-0.9.6g ...
> And that ALL your software is linked with it?
Why would other software be linked with it ? We're only takking about a
httpd process, not the whole of the system.
> Best way to be sure about it is to first remove all binaries
> compiled with openssl and all old openssl libraries from your system
> and compile the latest from scratch.
Why would I do that ? I am sure the steps I made : it is an
Apache+0.9.6g (as shown in headers) and it is crashed by the worm code
:(
Georges
------------------------------------------------------------------------
[2002-09-29 17:33:36] [EMAIL PROTECTED]
Please, don't sign your comments..and are you 100% sure
you're really compiling with 0.9.6g ? And that ALL your
software is linked with it?
Best way to be sure about it is to first remove all binaries
compiled with openssl and all old openssl libraries from your system
and compile the latest from scratch.
------------------------------------------------------------------------
[2002-09-29 16:45:14] [EMAIL PROTECTED]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I feel like sure ( :-) ) that Apache/OpenSSL 0.9.6g is still
vulnerable to a Slapper worm attack ...
I downloaded "Slapper worm like" code - available "for testing
prupose only" - from somewhere on the Internet, modified it to ensure
it will only attack my server when launched, and then launched it ...
Everything occured normally, the virus didn't infect my computer, the
same behaviour as the very first attacks. I used my httpd server and
segfaulted it by doing it ... I have gdb'ed my httpd+core, and
arrived on the same place in source code as mentioned in first first
gdb log. The
worm-like had crashed my apache. I checked logged and was the only
one to attack the computer. That means that OpenSSL 0.9.6g is not
safe right now ... I retried several times again but failed to
reproduce the crash ... That's why I "feel like sure" :-)
Anyway - and perhaps because of my parano. :) - I have closed my 443
window and wait for a better weather outside ;-)
openssl-0.9.6h.tar.gz ? :) An advice ...
My apache logs are showing tonight :
Unknown(0) : Notice - Login failed: authentication failure (errflg=1)
Unknown(0) : Notice - Login failed: authentication failure (errflg=1)
Unknown(0) : Notice - Login failed: authentication failure (errflg=1)
Unknown(0) : Notice - Too many login failures (errflg=2)
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBPZdy0BTEKqrwXlPeEQKg2ACeM+Lm5/S4PyhWykqbJYdVJaH2S1YAn3F8
XZBoIUmzRJ71rEgPRzoEm6/6
=fJ52
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
[2002-09-29 14:39:43] [EMAIL PROTECTED]
Well, the braces values indicate the release version I used to compiled
... The configure script is called by a shell script rebuilding
automatically everything, in order to upgrade easilly the packages when
new releases are availables ... Yes, the "session mm" appears under
"Additional Modules" section ... And the handler is correct
(session.save_handler -> mm) ...
It seems that this trouble only occurs when the Apache server is hit by
the OpenSSL/Worm Slapper (see
http://www.cert.org/advisories/CA-2002-27.html) ... My apache is build
with a 0.9.6g OpenSSL so that the worm can't infect the server, but it
could may be corrupt the memory ? I rebuilt Apache+mod_php with
--enable-debug=yes and re-opened the https port, waiting for the
trouble to reapper, creating a core file ... Right now, the problem
stopped like everytime I stop and restart the httpd process.
Strange strange strange ...
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/19655
--
Edit this bug report at http://bugs.php.net/?id=19655&edit=1
