----- "Pito Salas" <rps@xxxxxxxxx> wrote:
> I was having a debate with a friend of mine. Can you clear this up?
>
> Is it true that I can do an http post to any apache/httpd server and
> get it to upload a file? It would seem like an application should
> give
> permission, or at least that httpd could be configured so that an
> application needs to give permission.
>
> In other words:
>
> <form action="http://gmail.com/"; method="post" multipart="yes">
> Â<input type="file" name="big"/>
> Â<input type="submit" value="go"/>
> </form>
>
> Will the server accept and process all the gazillion bits of the file
> even if no application has said it wants it?
>
> I know it's probably a dumb question (he says it is) but it seems to
> be such a big opening for a DOS attack that I can't believe it's
> possible.
Why not just try it out?
i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % dd if=/dev/urandom of=zomg.big bs=4096 count=40096
40096+0 records in
40096+0 records out
164233216 bytes (164 MB) copied, 45.7197 s, 3.6 MB/s
i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % curl -vid @zomng.big http://httpd.bblan 2>&1 | less
Warning: Couldn't read data from file "zomng.big", this makes an empty POST.
meh..
i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % base64 < zomg.big > big.txt
i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % curl -vid @big.txt http://httpd.bblan 2>&1 | less
* About to connect() to httpd.bblan port 80 (#0)
* Trying 127.0.1.3... % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0connected
* Connected to httpd.bblan (127.0.1.3) port 80 (#0)
> POST / HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: httpd.bblan
> Accept: */*
> Content-Length: 22369624
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
} [data not shown]
^M 48 208M 0 0 48 101M 0 104M 0:00:01 --:--:-- 0:00:01 104M< HTTP/1.1 200 OK
< Date: Mon, 04 Oct 2010 19:27:36 GMT
< Server: Apache/2.2.16 (Ubuntu)
< Accept-Ranges: bytes
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
<
{ [data not shown]
HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Date: Mon, 04 Oct 2010 19:27:36 GMT
Server: Apache/2.2.16 (Ubuntu)
Accept-Ranges: bytes
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html
> Thanks for any insights (or references where the answer is explained)
Check the RFC (2616) itself.. It should say something like:
If a request type is not forbidden, it's allowed.
That might be one of the reason why Paul Querna wrote mod_allowmethods for
ASF Infra ( https://svn.apache.org/repos/asf/httpd/sandbox/mod_allowmethods/ )
> - Pito
>
> --
> Check out http://www.salas.com and http://www.blogbridge.com/look
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
i
--
Igor GaliÄ
Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|