Description of problem: PHP's passthru function in Red Hat 8 stock PHP/Apache2 is barely functional, if the program it runs returns any significant amount of data, it causes a DoS situation, the server will become very unresponsive, and the query takes much longer than expected. This could be remotely exploited as a system-wide DoS attack if the user has any script that uses a passthru() function to return data the user requested from an external command. Version-Release number of selected component (if applicable): php-4.2.2-8.0.7 httpd-2.0.40-11 How reproducible: Always Steps to Reproduce: 1. Create a small php script with one command: passthru("cat /boot/vmlinuz"); 2. Request the script through the web server. The first time it runs it may run quickly and return the proper output, but subsequent times it will randomly take a very long time to return the output, a seeming random amount of time between 10 seconds and 10 minutes. While the script is running, the server will be very unresponsive. Note that /boot/vmlinuz is just an example, any command that returns a significant amount of output, (500K+ such as calling ghostscript to generate a PDF/PS file for the user) will cause the condition. Larger outputs seem to cause the response time to scale up in an exponential growth rate. Actual results: Extreme slowdown of server. Expected results: Almost instant response with data. Additional info:
passthru() did get optimized recently upstream, though this sounds like a more serious problem. (http://bugs.php.net/bug.php?id=22308)
This was a problem where httpd would sometimes buffer up dynamic content, and was fixed by the most recent httpd erratum. Thanks for the report. *** This bug has been marked as a duplicate of 97111 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.