Charles Morris wrote:
I agree with you that this is a known issue, and that there are ways
around it, however I would in fact call it a vulnerability.
That depends upon your threat model.
If you are treating max_execution_time as protection against malicious
scripts, then it's a
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charles Morris
Sent: Tuesday, 27 May, 2008 13:14
The reasoning behind this is behind the definition of
vulnerability, and here is a good one:
a weakness in a system allowing unauthorized action [(NRC91:301;
Amo94:2) Sandia]
Yeap.
Using PHP as an in-process script interpreter grants script authors control
over the httpd children.
It is possible to make DoS (block all sockets/memory exe.). (more in Xploit
magazin)
Reason: Use PHP via a CGI interpreter with RLimit* directives.
Anyone how use PHP as an
Mark,
I agree with you that this is a known issue, and that there are ways
around it, however I would in fact call it a vulnerability.
The reasoning behind this is behind the definition of vulnerability,
and here is a good one:
a weakness in a system allowing unauthorized action [(NRC91:301;
max_execution_time is *CPU EXECUTION* time and not
*WALL-CLOCK* time -- reread the definition from the PHP man pages.
Since you are doing sleep() in the script, which is suspending the
process (script), no CPU time is accruing for that process (script),
therefore you do not hit the
