Hello Nitsan and Andrew,
Am 2008-06-16 13:20:14, schrieb Andrew Ballard:
> On Mon, Jun 16, 2008 at 1:01 PM, Nitsan Bin-Nun <nitsanbn@xxxxxxxxx> wrote:
> > I think you can handle this with 2 pages, the first is checking whether the
> > user is permitted to upload or not and if so passing him to the upload form
> > with a simple (bool) $_SESSION variable which indicates his permissions.
> > If you will try to access the second page and the $_SESS variable won't
> > exist it will throw you back to page 1 to validate your permissions.
> >
> > Am I missing something? (its pretty simple..)
> >
> > HTH
>
> Yes, it's missing something. There is nothing in this approach to
> prevent the remote client from attempting to access the second page
> directly. Even if they do not have the valid $_SESSION variable set,
> the server will still receive the entire uploaded content before
> passing control to the PHP script to validate permissions. In a DoS
> attack, the attacker doesn't care whether the request is actually
> allowed; only that resources were consumed in handling the request.
> It's still the "chicken and egg" problem already described in this
> thread.
OK I was thinking about it but IF a $UPLOADER go to
http://domain/index.php
and then click the link
http://domain/mirror_admin.php
which set a cookie and then the $UPLOADER must click a link where he/she
get the page
http://domain/mirror_upload.php
before the page is displayed, PHP could check the cookie right?
If the cookie is valid, it show the Form, if not the potential Uploader
get a long nose.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
<<attachment: signature.pgp>>
