Mark Sanders escribió:
> This vulnerability is not per se a vulnerability but a annoyance that
> has been dealt with in many ways.
>
> It is quite common to not let any process on a web server run longer
> then a specified time. This is usually made possible by some trivial
> shell scripting that checks the running time of certain processes.
>
> This annoyance is also not limited to PHP. Any scripting language that
> has the ability to execute something with the means of system() can
> create and call a script that uses memory and waits indefinitely.
>
> This is also an annoyance that will not be seen as a bug or will be
> "fixed" because it would leave the language almost useless. Although
> some do attempt to fix this by disabling all possible functions that
> can execute something like exec, system, eval, etc. but it is not
> limited to that. The same long wait can be achieved with fsockopen or
> any other stream function like fread, fwrite, etc. Even if your wait
> is limited to 60 seconds you can just repeat it in a simple loop and
> still maintain the very low actual cpu time usage.
>
> This is and has never been a security hole or threat. It will also
> never be. It is just an annoyance for which many solutions are already
> available.
Which are the avalaible solutions ?
Thanks.
Received on May 27 2008
Intro
