php-fpm master process restarts child process in an endless loop when using Program execution Function (CVE-2015-9253)
php-fpm master process restarts child process in an endless loop when using Program execution Functions (passthru(), exec(), shell_exec(), system(), ...) with non-blocking STDIN stream causing php-fpm master eating up 100% CPU and rapidly eating up available Storage Space with extremly fast (CPU Speed dependent) growing Error Logs.
Andreas Schnederle-Wagner, 16.02.2018 and others (see linked PHP Bug Reports)
For feedback or questions about this advisory mail me at firstname.lastname@example.org
5.4 - 7.2.2 (earlier Versions most likely also affected)
Attack Type, Impact
'Uncontrolled Recursion' (child restart loop) resulting in 'Uncontrolled Resource Consumption' - 100% CPU usage & Storage Space exhaustion
Access Complexity, Authentication
very low, access to shared hosting Server
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language.
This Bug can be used to DOS Shared Hosting Services with php-fpm master process eating up 100% CPU and rapidly eating up all available Diskspace.
Proof of concept