Tweet
This is a general notice to people running PHP sites out there. Please note that it is NOT a problem caused by Zoom - any PHP script on your website (e.g. your forum, CMS, etc.) could be susceptible to this problem.
There has been a recent discovery of a serious bug in the PHP scripting engine that causes it to crash when a particular floating point number: 2.2250738585072011e-308 is assigned to a variable. This means many servers out there are now vulnerable to being made to crash (technically, it just locks up a CPU at 100% until the process is killed or restarted, but it can lead to a server being made unavailable) simply by having a user submit that value to a PHP page (e.g. think a login name, or a forum post, etc.)
You should check if you are vulnerable to this and contact your web host for help. They should update to the latest version of PHP (which has fixed this problem) if necessary, but many web hosts can be slow on the task.
Note that it reportedly only seems to be affecting 32-bit builds of the PHP engine, and not the 64-bit builds.
A short term fix would be to add the following code to the start of a PHP script to avoid this from happening. It will abort any attempt to use the problemmatic floating point number when submitted by an attacker:
More information can be found on the PHP bugs website here:
http://bugs.php.net/bug.php?id=53632
Thanks to Jefferson F. Scher for contacting us about this. A modified version of the fix he suggested is above.
There has been a recent discovery of a serious bug in the PHP scripting engine that causes it to crash when a particular floating point number: 2.2250738585072011e-308 is assigned to a variable. This means many servers out there are now vulnerable to being made to crash (technically, it just locks up a CPU at 100% until the process is killed or restarted, but it can lead to a server being made unavailable) simply by having a user submit that value to a PHP page (e.g. think a login name, or a forum post, etc.)
You should check if you are vulnerable to this and contact your web host for help. They should update to the latest version of PHP (which has fixed this problem) if necessary, but many web hosts can be slow on the task.
Note that it reportedly only seems to be affecting 32-bit builds of the PHP engine, and not the 64-bit builds.
A short term fix would be to add the following code to the start of a PHP script to avoid this from happening. It will abort any attempt to use the problemmatic floating point number when submitted by an attacker:
Code:
// Protection from floating point bug in PHP engine
if (strpos(str_replace('.', '', serialize($_REQUEST)), '22250738585072011') !== false)
{
header('Status: 422 Unprocessable Entity');
die();
}
http://bugs.php.net/bug.php?id=53632
Thanks to Jefferson F. Scher for contacting us about this. A modified version of the fix he suggested is above.
Comment