CVE-2002-2309

Remote attackers can exploit this vulnerability by directly invoking the PHP interpreter via a web request without any command-line arguments [ref_id=1]. This is particularly relevant when PHP is configured to run on Apache, especially on Microsoft Windows platforms [ref_id=1]. By repeatedly sending such requests, an attacker can cause the PHP process to hang, consuming server resources and potentially preventing the server from launching new PHP processes or other server-side components, leading to a denial of service [ref_id=1].

The vulnerability lies within the PHP interpreter itself, specifically when it is invoked directly without any command-line arguments. The provided exploit code targets the `php.exe` executable when run on Apache, indicating that the issue is related to how the interpreter handles direct requests, especially in a CGI-like context [ref_id=1]. The code suggests that even with `cgi.force_redirect` enabled, an empty command line still causes the interpreter to hang.

The advisory does not specify a patch or provide details on how the vulnerability is fixed. However, it is generally recommended to avoid direct invocation of the PHP interpreter from the web and to ensure proper configuration of PHP on the web server. The vulnerability is described as a problem with PHP and Apache on Microsoft Windows platforms, but may be exploitable in other environments as well [ref_id=1].

The provided reference includes a C exploit script named `php-apache.c` which demonstrates how to trigger the denial of service by sending direct requests to the PHP interpreter without arguments. The script can be compiled and run with arguments for host, port, and the path to the PHP binary [ref_id=1].