#47116 [NEW]: Problem with .htaccess, high consumption of resources , probable DOS

Thu, 15 Jan 2009 08:20:40 -0800 

From:             kabute at gulo dot org
Operating system: GNU/Linux (Debian)
PHP version:      5.2.8
PHP Bug Type:     Apache2 related
Bug description:  Problem with .htaccess, high consumption of resources , 
probable DOS

Description:
------------
If you create a directory with a .htaccess and a .htpassword inside (and
Apache2 correctly configured), and you create a .php file with the next
code:

<?php

$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];

$validated = ($user=="user") && (($pass) == "pass");

if (!$validated) {
 header('WWW-Authenticate: Basic realm="Realm"');

 header('HTTP/1.0 401 Unauthorized');
 die ("Authentification failed.");


}


?>

In the second authetification the browser will start loading the page
waiting for response. Looking at the apache's error log it will show an
"user not found" error.

I've tried it with PHP 5.2.6 and PHP 5.2.7 .

Reproduce code:
---------------
<?php

//Remember to create .htaccess and .htpasswd

$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];

$validated = ($user=="user") && (($pass) == "pass");

if (!$validated) {
 header('WWW-Authenticate: Basic realm="Realm"');

 header('HTTP/1.0 401 Unauthorized');
 die ("Authentification failed.");


}


?>

Expected result:
----------------
Resources comsuption, maybe DOS.

Actual result:
--------------
Very high memory load.

-- 
Edit bug report at http://bugs.php.net/?id=47116&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=47116&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=47116&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=47116&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=47116&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=47116&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=47116&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=47116&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=47116&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=47116&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=47116&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=47116&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=47116&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=47116&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=47116&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=47116&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=47116&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=47116&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=47116&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=47116&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=47116&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=47116&r=mysqlcfg

Reply via email to