PHP floating point bug - potential DoS threat
- Thread starter Luke F
- Start date
Dismounted
Well-known member
If that is a localhost development server for yourself, I wouldn't worry. Unless you want to go and try crashing your box.
MGSteve
Well-known member
x64 versions of PHP appear to be safe anyway, it affects 32bit versions only.
That't not necessarily an indication that your server is safe. It's possible to run a 32 bit version of PHP on an x64 OS platform.My localhost server is safe, and my main server is safe, considering it's running x64
D
Deleted member 2163
Guest
Just wanted to add... I am running a Mediatemple (dv) 3.5, which happens to be CentOS5 i386 (32bit) and I had this vulnerability. If you have yum set up on your server, follow these instructions (link to source below).
First, log into ssh as root.
Then run this command:
Then this:
Then:
or just reload/restart your webserver to make the running php version update (I know not everyone uses apache... and I don't know how lighttpd works)
If you have depsolving problems, please follow this link for the full instructions. Note: `uname -i` gets your processor arch (i.e. i386 or i686) chances are you'll have i386 if you're following these instructions though You can always run uname -i at the shell to check. uname -a will give you more info.
http://www.webtatic.com/blog/2009/06/php-530-on-centos-5/
First, log into ssh as root.
Then run this command:
Code:
rpm -ivh http://repo.webtatic.com/yum/centos/5/`uname -i`/webtatic-release-5-1.noarch.rpmThen this:
Code:
yum --enablerepo=webtatic update phpThen:
Code:
/etc/init.d/httpd reloadIf you have depsolving problems, please follow this link for the full instructions. Note: `uname -i` gets your processor arch (i.e. i386 or i686) chances are you'll have i386 if you're following these instructions though
You can always run uname -i at the shell to check. uname -a will give you more info.http://www.webtatic.com/blog/2009/06/php-530-on-centos-5/
Kaiser
Well-known member
ARealRiley
Active member
root@derfy:/home/derfy# php test.php
Testing float behaviour. If this script hangs or terminates with an error message due to maximum execution time limit being reached, you should update your PHP installation asap!
For more information refer to <http://bugs.php.net/53632>.
Your system seems to be safe.
root@derfy:/home/derfy#
Does this only effect (affect?) php 5.3? I'm running 5.2.
root@derfy:/home/derfy# php -v
PHP 5.2.10-2ubuntu6.5 with Suhosin-Patch 0.9.7 (cli) (built: Sep 16 2010 20:04:48)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
Testing float behaviour. If this script hangs or terminates with an error message due to maximum execution time limit being reached, you should update your PHP installation asap!
For more information refer to <http://bugs.php.net/53632>.
Your system seems to be safe.
root@derfy:/home/derfy#
Does this only effect (affect?) php 5.3? I'm running 5.2.
root@derfy:/home/derfy# php -v
PHP 5.2.10-2ubuntu6.5 with Suhosin-Patch 0.9.7 (cli) (built: Sep 16 2010 20:04:48)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
steven s
Well-known member
IDK, Not necessarily.
See Kier's post @ http://xenforo.com/community/thread...potential-dos-threat.10080/page-3#post-137837
D
Deleted member 745
Guest
I get this when using this script - Please run this test from CLI, How do I run this if my files called test.php?
PHP:
<?php
/*
+----------------------------------------------------------------------+
| PHP Version 5 |
+----------------------------------------------------------------------+
| Copyright (c) 2011 The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
| available through the world-wide-web at the following url: |
| http://www.php.net/license/3_01.txt |
| If you did not receive a copy of the PHP license and are unable to |
| obtain it through the world-wide-web, please send a note to |
| license@php.net so we can mail you a copy immediately. |
+----------------------------------------------------------------------+
| Author: Johannes Schlueter <johannes@php.net> |
+----------------------------------------------------------------------+
*/
if (PHP_SAPI != 'cli') {
die("Please run this test from CLI!\n");
}
ini_set('display_errors', 1);
ini_set('output_buffering', 0);
error_reporting(-1);
if (!ini_get('safe_mode')) {
set_time_limit(1);
}
echo "Testing float behaviour. If this script hangs or terminates with an error ".
"message due to maximum execution time limit being reached, you should ".
"update your PHP installation asap!\n";
echo "For more information refer to <http://bugs.php.net/53632>.\n";
$d = (double)"2.2250738585072011e-308";
echo "Your system seems to be safe.\n";
?>MGSteve
Well-known member
If you see a page like that, then its because its still got the .txt file extension. you need to rename this to .php & then login via shell access and run it by changing into the directory where the script is and typing php test.php
(assuming you called it test.php, otherwise change test.php to that of the file you've uploaded).
Not all hosts have the CLI version of PHP installed though. the really drastic way to test it is to create a PHP page as below, upload it and run it.
PHP:
<?
echo "Testing float behaviour. If this script hangs or terminates with an error ".
"message due to maximum execution time limit being reached, you should ".
"update your PHP installation asap!\n";
echo "<BR>For more information refer to http://bugs.php.net/53632.\n";
$d = (double)"2.2250738585072011e-308";
echo "<BR>Your system seems to be safe.\n";
?>Although be warned, if you don't have a way to restart Apache, you'll DOS yourself.
if it works you'll see
Code:
Testing float behaviour. If this script hangs or terminates with an error message due to maximum execution time limit being reached, you should update your PHP installation asap!
For more information refer to http://bugs.php.net/53632
Your system seems to be safeif it doesn't, you'll simply end up with a page that either times out or simply loads forever. You'll also get a hung PHP as well, so only do the above if you can restart apache remotely.
tlsoft_tib
Member
One of my vps is safe, another need to test.
D
Deleted member 745
Guest
dieketzer
Well-known member
dieketzer
Well-known member
if youre asking, i dont recommend trying
debian have already released, ubuntu will follow within a couple days.
just apt-get update until you see something, then apt-get upgrade
Pope Viper
Well-known member
Well, I'm all fixed. Thanks again, XF for posting that announcement, really appreciate it.
Luke F
Well-known member
To be honest building PHP yourself is almost easier than installing it from a repo. Grab the latest tar.gz, tar zxf it and change to the extracted directory, copy+paste the configure line from the top of your existing phpinfo() page and run that then make && make install.
Plus when you build it yourself you can alter the configure line to include as much or as little as you need