Discussion:
[PHP-INSTALL] "system (" in any textarea hangs php/apache ?
Vineet Bansal
2009-08-15 22:44:14 UTC
Permalink
I have a fresh php 5.2.6 install on Apache 2 under CentOS 5.3. After
receiving complaints from some users that they were unable to submit their
abstracts on our proposal submission website, I was able to isolate the
problem to this minimal and extremely simple example:

<html>
<head>
</head>
<body>
<form name="submitform" action="phantomurl.php" method="post">
<textarea name="mytextarea"></textarea>
<input type="submit" value="Submit"/>
</form>
</body>
</html>

The phantomurl.php doesn't exist because its irrelevant to the example. The
above code works fine and leads to a 404 error when anything is entered in
the textbox, except when you enter "system(" or "system (". In this case,
the browser simply chugs along and eventually times out on the request (no
matter how high the timeout is set in php.ini). I have confirmed this
problem with another server with php 5.1.6 which Centos 5.3 officially
supports. If I change phantomurl.php to phantomurl.txt, then again it works
(although after a bit of delay) and shows me a 404 again.

Can someone confirm if they're having the same issue? I'm not sure if apache
or php is the culprit here, maybe trying to parse the input for security
reasons? I initially thought SELinux was causing the issue, but disabling it
doesn't solve it either.

Thanks for your help!
Ryan Schmidt
2009-08-16 19:38:03 UTC
Permalink
Post by Vineet Bansal
I have a fresh php 5.2.6 install on Apache 2 under CentOS 5.3.
After receiving complaints from some users that they were unable to
submit their abstracts on our proposal submission website, I was
able to isolate the problem to this minimal and extremely simple
<html>
<head>
</head>
<body>
<form name="submitform" action="phantomurl.php" method="post">
<textarea name="mytextarea"></textarea>
<input type="submit" value="Submit"/>
</form>
</body>
</html>
The phantomurl.php doesn't exist because its irrelevant to the
example. The above code works fine and leads to a 404 error when
anything is entered in the textbox, except when you enter "system("
or "system (". In this case, the browser simply chugs along and
eventually times out on the request (no matter how high the timeout
is set in php.ini). I have confirmed this problem with another
server with php 5.1.6 which Centos 5.3 officially supports. If I
change phantomurl.php to phantomurl.txt, then again it works
(although after a bit of delay) and shows me a 404 again.
Can someone confirm if they're having the same issue? I'm not sure
if apache or php is the culprit here, maybe trying to parse the
input for security reasons? I initially thought SELinux was causing
the issue, but disabling it doesn't solve it either.
I cannot reproduce the issue on my system. I have tested with PHP
5.3.0 running on Mac OS X 10.4.11 on Intel, both as a module in
Apache 2.2.11 and as a FastCGI binary in lighttpd 1.4.22.

Do you have a script in your auto_prepend_file ini directive, or a
global script in your project, which might be processing your $_POST
array in some way and causing this problem?

Do you have any PHP extensions that are loaded that might be doing
this? Try disabling them.

Loading...