PHP floating point bug - potential DoS threat

[Shamil]

x64 versions of PHP appear to be safe anyway, it affects 32bit versions only.

I know, but I've never used 64-bit PHP in Windows - it doesn't fully exist, as of yet. Anyway, to the security..

 

[JadedHeart]

I put the content into a file called text.php and run it from the command line

#php text.php
Testing float behaviour. If this script hangs or terminates with an error message due to maximum execution time limit being reached, you should update your PHP installation asap!
For more information refer to <http://bugs.php.net/53632>.
Your system seems to be safe.

EDIT: I run PHP 5.3.3 by the way
# php -v
PHP 5.3.3 (cli) (built: Nov 11 2010 18:42:09)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

# uname -a
Linux host.quantnet.com 2.6.9-023stab048.6-enterprise #1 SMP Mon Nov 17 19:09:18 MSK 2008 i686 i686 i386 GNU/Linux

Your link for more info returns
404 Not Found

 

[Paul B]

Just remove the > from the URL: http://bugs.php.net/53632

 

[random]

I'm just wondering who was the has-no-life guy who discovered this very rare bug?

 

[Phil Conway]

Panicked when I saw this, but the test script works without hanging on my server, so we seem to be safe

 

[valdet]

Hi all,

Thanks for this notice. I am currently unable to access shell account and my host isn't helping too much with the test script.

Could someone tell me if below info from phpinfo() and my dedicated server specs mean I am running 64 bit version which is said to be unaffected.


dedicated server specs

WHM 11.28.64
CENTOS 5.5 x86_64 standard on server

phpinfo()

Linux server.mysite.net 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010 x86_64

I am unsure which one I have.

Thanks.

 

[Kier]

It's not possible to tell from phpinfo (bizarrely).

 

[valdet]

It's not possible to tell from phpinfo (bizarrely).

Thanks Kier, but does the fact that I am on Centos x86_64 bit machine mean I am safe..?

 

[Paul B]

No because you can run 32 bit PHP on a 64 bit machine.

 

[Kier]

Thanks Kier, but does the fact that I am on Centos x86_64 bit machine mean I am safe..?

It's a good chance that you are, but it is possible to run 32 bit PHP on a 64 bit OS, so it's not a concrete guarantee.

 

[Kaiser]

I like taking chances so I posted it on my forum and nothing happened... so Im safe right?

 

[steven s]

I like taking chances so I posted it on my forum and nothing happened... so Im safe right?

Life on the edge. I like it.
What did you post?

 

[MGSteve]

I like taking chances so I posted it on my forum and nothing happened... so Im safe right?

Unless its interpreted as a number, it won't do anything. Try inserting into a URL parameter that's expected to be a number, that might do it. i.e. thread ID or something.

It really depends how tight the validation of URL data is within whatever script you're running.

 

[SilverCircle]

It's not possible to tell from phpinfo (bizarrely).

Depends on the system. The output from Configure Command might provide some clue, like here.

'./configure' '--with-layout=GNU' '--localstatedir=/var' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--with-libxml-dir=/usr/local' '--with-pcre-regex=/usr/local' '--program-prefix=' '--enable-fpm' '--with-fpm-user=www' '--with-fpm-group=www' '--with-libevent-dir=/usr/local' '--with-apxs=/usr/local/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--enable-zend-multibyte' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd8.1'

Also, if one has shell access he could try to execute php-config which gives additional build information (if installed). If there are any references to some 32bit library directory it's a good indication for a 32bit build.

Finally, if one knows where the php binaries (or the apache module) is installed, he can use the file command to check whether it is a 32- or 64bit executable.

 

[Gene Steinberg]

Just FYI: cPanel has released an EasyApache update that includes this fix.

From the current change log:

EasyApache Change Log

EasyApache updates are not specific to Product versions, nor the publication tiers.
5291

• Implemented case 43831: Remove all references to gettree and getrevision
• Implemented case 43888: Update /scripts/checkallowoverride to isolate or eliminate code that updates httpd.conf
• Implemented case 45468: Add PHP 5.2.16 and remove 5.2.15
• Implemented case 45843: Fix PHP bug 53632 (http://bugs.php.net/bug.php?id=53632)
• Fixed case 43872: /scripts/remservlets and /scripts/killacct do not remove Tomcat work files

If you have a VPS or dedicated server with the WHM/cPanel software installed, this is a simple update. Otherwise, ask your host to do it ASAP.

This is one big reason why I choose cPanel over Plesk, even when I have had servers that came with Plesk.

 

[Paul M]

This is one big reason why I choose cPanel over Plesk, even when I have had servers that came with Plesk.

I have three Plesk servers.

Yum update php

Job done ... not exactly hard

 

[Gene Steinberg]

I have three Plesk servers.

Yum update php

Job done ... not exactly hard

Plus a simple way to choose your Apache and PHP add-ons in a graphical interface. Even less hard.

 

[AnthonyCea]

Too hard for me though !!

 

[Erik]

Grrr... Ubuntu still hasn't updated their repos.

 

[AnthonyCea]

I have three Plesk servers.

Yum update php

Job done ... not exactly hard

Thanks for helping me move my forums to your 3 servers Paul !!!