I can confirm the behaviour. Even if I do not change script names and/or HTTP host.
b. On 13 March 2015 at 16:01, Patrick Schaaf <p...@bof.de> wrote: > On Tuesday 10 March 2015 10:26:12 Patrick Schaaf wrote: > > > > https://bugs.php.net/bug.php?id=68486 > > Meanwhile I did some more debugging, today also testing with a freshly > compiled current apache 2.4.12. The issue persists. > > As it does not always coredump, but always uncontrollably reenters an > already- > deconfigured PHP interpreter, I see the potential for arbitrary remote code > execution. I opened a security bug for that two days ago - no reaction. > > Sorry for shouting, BUT IS REALLY NOBODY HERE INTERESTED IN (non-fpm) PHP > UNDER APACHE 2.4 / LINUX ?????? > > I don't want to go out on the internet and test whether I can randomly > crash > any such server, but everything I analyzed so far tells me that half of the > world might be affected by this. > > For those who cannot be bothered to read the bug report, but have an apache > 2.4 running with mod_php, could you please run the following against your > server, and look for segmentation violation / coredump messages in your > server > logs? > > echo -e 'GET /foo.php HTTP/1.1\nHost: www.example.de\n\nGET /foo.php > HTTP/1.1\nHost: www.example.de\n\n' | nc localhost 80 > > (of course, replace /foo.php with any trivial PHP script on your server, > and > www.example.de with your virtual host name) > > best regards > Patrick > > P.S.: to anybody who now wants to tell me to just use FPM/fastCGI: save the > bits, I don't want to hear that. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
