Vigil@nce - Apache httpd, nginx: denial of service via PHP-FPM/PHP-CGI
May 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can open numerous long connections to an Apache httpd
or nginx server using PHP-FPM/PHP-CGI, in order to trigger a
denial of service.
Impacted products: Apache httpd, nginx, PHP
Severity: 2/4
Creation date: 06/05/2014
DESCRIPTION OF THE VULNERABILITY
A web server (Apache httpd, nginx) can support the PHP language
using:
– mod_php : the module is loaded in the web server process.
– PHP-FPM, PHP-CGI : independant processes communicate with the
web server.
However, by manipulating timeout and keep-alive durations, an
attacker can use a few resources, in order to saturate (memory and
number of connections) PHP-FPM and PHP-CGI.
An attacker can therefore open numerous long connections to an
Apache httpd or nginx server using PHP-FPM/PHP-CGI, in order to
trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-httpd-nginx-denial-of-service-via-PHP-FPM-PHP-CGI-14701