1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP floating point bug - potential DoS threat

Discussion in 'Off Topic' started by Luke F, Jan 6, 2011.

  1. Luke F

    Luke F Well-Known Member


    Looks like this site runs on a 64-bit server - don't go posting the code below inside [php] tags on any XenForo forums running on 32-bit servers - even just the highlighting code is enough to trigger it :p

    <?php $d 2.2250738585072011e-308?>
    If you're running an x86 server (like me :(), watch out for the next release of PHP update ASAP! One of my members has already managed to (semi-accidentally) DoS my server using this. >.>

    Edit: Also just to clarify, you can still be vulnerable if you are running x64 but have an x86 version of PHP. You should double check by running the test script via CLI mode.
    Lenin, Jeffin and laztrix like this.
  2. Brogan

    Brogan XenForo Moderator Staff Member

    Strangely enough we (Kier, Lawrence, Dean) were discussing this last night.
    My shared server is also running 32 bit so I've contacted my host again to ensure steps are taken - they weren't that interested when I mentioned it to them last night.
  3. Kier

    Kier XenForo Developer Staff Member

    I'll be making an announcement about this when php.net is updated with fixed versions.
    Insy, Jo., krstep and 2 others like this.
  4. Kaiser

    Kaiser Well-Known Member

    Im confused, cany anyone elaborate?
  5. Kier

    Kier XenForo Developer Staff Member

    It's trivial to crash any server running an affected version of PHP.
    Kaiser and Darkimmortal like this.
  6. M@rc

    M@rc Well-Known Member

    I've contacted my host and it seems that they are protected against these types of attacks.

    The person that tried to execute the script will be blocked.
  7. Jaxel

    Jaxel Well-Known Member

    I just tested this on my website... no issues.
  8. MGSteve

    MGSteve Well-Known Member

    Hmm, it hangs my Win32 dev box, but works fine on the self-compiled version on the Live Linux box.

    32bit on both, 5.25 on the Dev box, 5.29 on the live box, FWIW.
  9. Kier

    Kier XenForo Developer Staff Member

  10. steven s

    steven s Well-Known Member

    Can I learn about what package I am running using phpinfo(); ?
  11. Kier

    Kier XenForo Developer Staff Member

    Unfortunately not.
  12. steven s

    steven s Well-Known Member

  13. mjp

    mjp Well-Known Member

    CLI = command line. If you don't admin the server you won't be able to run the test script.
  14. steven s

    steven s Well-Known Member

    Thanks. I'm checking with my host.
  15. Andy.N

    Andy.N Well-Known Member

    I put the content into a file called text.php and run it from the command line

    #php text.php
    Testing float behaviour. If this script hangs or terminates with an error message due to maximum execution time limit being reached, you should update your PHP installation asap!
    For more information refer to <http://bugs.php.net/53632>.
    Your system seems to be safe.

    EDIT: I run PHP 5.3.3 by the way
    # php -v
    PHP 5.3.3 (cli) (built: Nov 11 2010 18:42:09)
    Copyright (c) 1997-2010 The PHP Group
    Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

    # uname -a
    Linux host.quantnet.com 2.6.9-023stab048.6-enterprise #1 SMP Mon Nov 17 19:09:18 MSK 2008 i686 i686 i386 GNU/Linux
  16. steven s

    steven s Well-Known Member

    Your system seems to be safe. :)
  17. Miko

    Miko Well-Known Member

    If you are not server admin and your host support is slow you could prevent the malicious code by adding something like this to your php script

    Untested but should work.


    // *************************************************************
    // provided by AirCraft24.com / www.aircraft24.com
    // version 1.5, released 2011-01-06 14:00 GMT+1
    // *************************************************************

    if (strstr(str_replace('.','',serialize($_REQUEST)), '22250738585072011'))
    header('Status: 422 Unprocessable Entity');
      die (
    'Script interrupted due to floating point DoS attack.');

    // *************************************************************
    // *************************************************************

  18. Jo.

    Jo. Well-Known Member

    Thanks for alerting us to this!
    GeeksKickAss likes this.
  19. steven s

    steven s Well-Known Member

    Took my host 6 minutes from submitting ticket to closing ticket. :)
  20. Carlos

    Carlos Well-Known Member

    Talking to my host administrator about this. :(

Share This Page