Hi,
i just tried again what happens, when i run the script. This time the server wasn't able to recover itself. After 2 minutes the system was nearly down and after about two hours it had to be rebooted. I think all those web-space providers which offer access to cgi are *very* vulnerable.
Actually no, most of the good ones are not vulnerable. They put in user limits and the audit your cgi scripts before they are installed.
Ok I found a serious bug in suse. When I hit my server with a hammer a lot suse stops working. I want a fix NOW. I think this is a serious problem for anyone running suse!
Peer-Christoph Mettelem
-Kurt
Yeah, I tried it at my office server, and this one is vulnerable to this failure too. (Used a 300g hammer and Kernel 2.2.18) Because of the very heavy system crash I haven't reproduced it with kernel 2.4.3, but I think this one is vulnerable too. Seems to be a kernel problem, we should inform Linus. Back to reality: Performing this failure with cgi scripts on public web servers won't work in most cases, as Kurt pointed out. But if my users in my company log in and start a script with such an error (erroneously! ) and give me a DoS - this is definitely a vulnerability! I never tested the script, but such a recursion error could happen very fast. Ralf P.S.: Sorry, Kurt, for sending the mail directly to you. It's late and I haven't changed the address. * * Ralf 'coko' Koch * mailto:info@formel4.de * --- Drücken Sie auf Abbrechen zum Fortfahren