Simple PHP Script crashing server

[flashweb]

Hi,

I have simple PHP script that crash the server. The script is

PHP Code:

<?php

$cmd = "php -v";
exec("$cmd 2>&1", $output);

print_r($output);

This works fine on my server with PHP 4.4.4

But on server with php 5, it just get into some loop (too many process in short time) and crash the server. This is part of a script so many clients use the script and crash my server so i checked the script and found these lines create the problem. If i use full path to php, it will be fine.


My php version is PHP 5.2.5 running in suPHP mode.

Anyone know why this happening ?

Thanks,

Yujin

[brianoz]

Try this instead, at least you're more likely to see the error:

PHP Code:

<?php

$cmd = "php -v";
passthru("$cmd 2>&1");

[robalo]

I also have a similar problem. One user uploaded a simple script that only has:

echo exec('pear install PhpDocumentor');

If you open the page in the browser, the system starts spawning a lot of php processes quickly and the server runs out of memory soon enough.

I was able to reproduce the same with just:

echo exec('pear');

I'm a bit worried about how easy is for a user to crash the server so I am hoping someone can share some hints about how to avoid this.

The system has the latest httpd 2.2.8 and php 5.2.5 with suPHP build with the latest easyapache from Release. Is suhosin the solution ? blacklisting the exec function ?

[jayh38]

exec is one of many functions that should be disabled in php.ini disable_functions

[robalo]

exec is one of many functions that should be disabled in php.ini disable_functions

But if the user can upload his own php.ini that's not good enough, right ?
Thanks.

[flashweb]

Disabling exec is not a solution. Many scripts need exec to work. So i don't think every one can disable exec function on their servers. It seems a bug, same code work with out any problem on php 4 (running phpsuexec).

[cpanelkenneth]

This is the expected behavior of PHP CGI, as shown by this report:

http://bugs.php.net/bug.php?id=30463

[flashweb]

Thanks for the reply. That bug is dated 17 Oct 2004, so... any client who knows the one line code can crash the server ? No way to prevent this ?

The bug report says Apache limit execution and show Internal Server Error. Is there anyway we can also do the same, that is stop the runaway process to kill the server ?

[robalo]

OK, so I edited the pear script to make sure PHP=/usr/bin/php-cli then no more crash.

But it might be rewritten by software updates, so.. the more elegant fix would be to ensure that the envvar PHP_PEAR_PHP_BIN gets set properly as that determines which php binary the pear command will call.

Anyone know where to set it ? Also, in case someone calls php like in brianoz's example, isn't it safer to make sure php will always point to the cli ? No more php -> php-cgi symlinks please.

[brianoz]

I guess the fix would be to make sure that the PATH when running PHP as CGI includes a directory with the CLI version ahead of the directory containing the CGI version.

In other words, if the CGI version comes from /usr/bin/php and the CLI version from /usr/local/bin, make sure PATH is set something like:

Code:

PATH=/usr/local/bin:/usr/bin:...

Another option that might work well is to make sure that the CLI version is the only one available in the PATH, that is, have the CGI binary come from /usr/local/php5/bin/php and theb make sure that /usr/bin/php is CLI. As far as I remember that's how it used to be done but easyapache3 seems to have discarded that wisdom!

[maysoft]

In order to protect the server from crashing, setting the following option might help (it will only make sense on phpsuexec/suphp configurations, i.e., when php scripts are running under a specific user):

Just add
RLimitNPROC 20
into your httpd.conf

Do not forget about
/usr/local/cpanel/bin/apache_conf_distiller --update

I use that on all our servers.

More reading:
http://httpd.apache.org/docs/2.2/mod...ml#rlimitnproc