posted by steve | Category: Linux & Open Source |

I was working on a patched Debian system recently using PHP functions feof and fread.  I went to run my test script and managed to auger Apache in while at the same time dumping over 1GB worth of errors into the Apache error log in a matter of minutes.  Over and over (over 5,000,000 entries, actually), with these errors:

[Wed Dec 07 11:17:00 2011] [error] [client xx.xx.xx.xx] PHP Warning:  feof() expects parameter 1 to be resource, boolean given in /web/public_html/newsite/testfeed.php on line 5
[Wed Dec 07 11:17:00 2011] [error] [client xx.xx.xx.xx] PHP Warning:  fread() expects parameter 1 to be resource, boolean given in /web/public_html/newsite/testfeed.php on line 6

I ended up having to stop apache and restart it but it’s a scary denial of service in a few lines of PHP code.  It took about 2 minutes and 23 seconds to produce over 5,000,000 errors in the error log for this script.