Re: [PHP] Re: How to prevent DoS on PHP script?

Wed, 18 Jun 2008 10:01:51 -0700 

Michelle Konzack wrote:

Hello Nitsan and Andrew,
Am 2008-06-16 13:20:14, schrieb Andrew Ballard:

On Mon, Jun 16, 2008 at 1:01 PM, Nitsan Bin-Nun <[EMAIL PROTECTED]> wrote:

I think you can handle this with 2 pages, the first is checking whether the
user is permitted to upload or not and if so passing him to the upload form
with a simple (bool) $_SESSION variable which indicates his permissions.
If you will try to access the second page and the $_SESS variable won't
exist it will throw you back to page 1 to validate your permissions.

Am I missing something? (its pretty simple..)

HTH

Yes, it's missing something. There is nothing in this approach to
prevent the remote client from attempting to access the second page
directly. Even if they do not have the valid $_SESSION variable set,
the server will still receive the entire uploaded content before
passing control to the PHP script to validate permissions. In a DoS
attack, the attacker doesn't care whether the request is actually
allowed; only that resources were consumed in handling the request.
It's still the "chicken and egg" problem already described in this
thread.


OK I was thinking about it but IF a $UPLOADER go to

    http://domain/index.php

and then click the link

    http://domain/mirror_admin.php

which set a cookie and then the $UPLOADER must click a link where he/she
get the page

    http://domain/mirror_upload.php

before the page is displayed, PHP could check the cookie right?
If the cookie is valid, it show the Form, if not the potential Uploader
get a long nose.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    24V Electronic Engineer
    Tamay Dogan Network
    Debian GNU/Linux Consultant




That is fine, but I can upload a file to any php script.
I don't need to use your form to do so, I an just use my own form and post data directly to the script.
If anybody remembers, this was an exploit that was found in the 4.0.6 code back in the day. 

--
Jim Lucas

   "Some men are born to greatness, some achieve greatness,
       and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
    by William Shakespeare


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to