Re: Re: How to prevent DoS on PHP script?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jun 18, 2008 at 1:00 PM, Jim Lucas <lists@xxxxxxxxx> wrote:
>
> That is fine, but I can upload a file to any php script.
>
> I don't need to use your form to do so, I an just use my own form and post
> data directly to the script.
>
> If anybody remembers, this was an exploit that was found in the 4.0.6 code
> back in the day.

    That's correct.  Theoretically, you can place a form anywhere in
the world, and upload a file to any server in the world.  This is,
unfortunately, a potentially serious issue.

    Consider the following:

    I'm in competition with Company A, and I decide to perform a DoS
attack on them.  I could distribute the attack, PING flood or teardrop
the server, et cetera.... but instead, I decide to try something more
sinister.

    I concoct a very, very simple HTML form like so:

<form method="post" enctype="multipart/form-data"
action="http://www.example.com/";>
    File: <input type="file" name="huge_file">
    <input type="submit" value="Crash!">
</form>

    I select the largest file I can find (or generate one myself -
including a VFS block file of several gigabytes), and upload it to
Company A's server via my form.  I can even use cURL or POST from the
command line of several servers to expedite the process.  Any similar
method will work, and the end result would be the same: exceeding disk
space on the server, causing file corruption, unavailability, missed
database transactions, corrupted backups, undeliverable mail, and even
catastrophic data loss.

    On a LAMP system, Apache should automatically remove the file from
the /tmp (or wherever it's configured to write) directory as soon as
the upload completes and the child process dies.  However, with a
large file - or several simultaneous large files - you can easily fill
the disk space of a poorly-configured, poorly-secured server.

    Not to mention the bandwidth-bogging and RAM-hogging you can do.

    Plus, keep in mind that this is completely independent of PHP, so
your timeouts and max_file_upload/max_post_size flags won't save you
here.  It's a flaw in HTTP servers themselves.

    .... but fear not, young warrior: you are not alone.  Almost every
server out there - including those run by people on their desktop PC's
out of their homes - is vulnerable.

    Even Microsoft's website.  ;-P

-- 
</Daniel P. Brown>
Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just
$59.99/mo. with no contract!
Dedicated servers, VPS, and hosting from $2.50/mo.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux