On Wed, Jun 18, 2008 at 1:00 PM, Jim Lucas <[EMAIL PROTECTED]> wrote:
>
> That is fine, but I can upload a file to any php script.
>
> I don't need to use your form to do so, I an just use my own form and post
> data directly to the script.
>
> If anybody remembers, this was an exploit that was found in the 4.0.6 code
> back in the day.
That's correct. Theoretically, you can place a form anywhere in
the world, and upload a file to any server in the world. This is,
unfortunately, a potentially serious issue.
Consider the following:
I'm in competition with Company A, and I decide to perform a DoS
attack on them. I could distribute the attack, PING flood or teardrop
the server, et cetera.... but instead, I decide to try something more
sinister.
I concoct a very, very simple HTML form like so:
<form method="post" enctype="multipart/form-data"
action="http://www.example.com/";>
File: <input type="file" name="huge_file">
<input type="submit" value="Crash!">
</form>
I select the largest file I can find (or generate one myself -
including a VFS block file of several gigabytes), and upload it to
Company A's server via my form. I can even use cURL or POST from the
command line of several servers to expedite the process. Any similar
method will work, and the end result would be the same: exceeding disk
space on the server, causing file corruption, unavailability, missed
database transactions, corrupted backups, undeliverable mail, and even
catastrophic data loss.
On a LAMP system, Apache should automatically remove the file from
the /tmp (or wherever it's configured to write) directory as soon as
the upload completes and the child process dies. However, with a
large file - or several simultaneous large files - you can easily fill
the disk space of a poorly-configured, poorly-secured server.
Not to mention the bandwidth-bogging and RAM-hogging you can do.
Plus, keep in mind that this is completely independent of PHP, so
your timeouts and max_file_upload/max_post_size flags won't save you
here. It's a flaw in HTTP servers themselves.
.... but fear not, young warrior: you are not alone. Almost every
server out there - including those run by people on their desktop PC's
out of their homes - is vulnerable.
Even Microsoft's website. ;-P
--
</Daniel P. Brown>
Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just
$59.99/mo. with no contract!
Dedicated servers, VPS, and hosting from $2.50/mo.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
