Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Interchange: users

Multipart Form Data Denial of Service

  

 
Interchange users RSS feed   Index | Next | Previous | View Threaded


racke at linuxia

Nov 26, 2009, 12:04 AM

Post #1 of 2 (774 views)
Permalink
Multipart Form Data Denial of Service
Hello Interchange enthusiasts,

This morning I upgraded PHP5 packages on Debian machines. While reading the security
advisory I wondered whether Interchange or other web applications are affected
by this DOS type:

--snip--
Bogdan Calin discovered that a remote attacker could cause a denial of service by uploading a large number of files in using multipart/ form-data requests,
causing the creation of a large number of temporary files.

To address this issue, the max_file_uploads option introduced in PHP 5.3.1 has been backported. This option limits the maximum number of files uploaded per request.
--snap--

More information:
http://seclists.org/fulldisclosure/2009/Nov/228

Regards
Racke

--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team


_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users


gert at 3edge

Dec 15, 2009, 1:16 PM

Post #2 of 2 (590 views)
Permalink
Re: Multipart Form Data Denial of Service [In reply to]
> -----Original Message-----
> From: interchange-users-bounces [at] icdevgroup [mailto:interchange-
> users-bounces [at] icdevgroup] On Behalf Of Stefan Hornburg (Racke)
> Sent: Thursday, November 26, 2009 10:04 AM
> To: interchange-users [at] icdevgroup
> Subject: [ic] Multipart Form Data Denial of Service
>
> Hello Interchange enthusiasts,
>
> This morning I upgraded PHP5 packages on Debian machines. While reading
> the security
> advisory I wondered whether Interchange or other web applications are
> affected
> by this DOS type:

Interchange as far as I understand lib/Vend/Server.pm reads the query
string and parses that and puts data in variables without writing to disk or
creating (temporary) files.

Other (perl) web applications often work with CGI.pm and I believe that
writes a single tmp file which is then dissected.

No doubt there are ways to get Interchange on its knees, but the
max_file_uploads I do not expect to be one of them.

CU,

Gert


> --snip--
> Bogdan Calin discovered that a remote attacker could cause a denial of
> service by uploading a large number of files in using multipart/ form-
> data requests,
> causing the creation of a large number of temporary files.
>
> To address this issue, the max_file_uploads option introduced in PHP
> 5.3.1 has been backported. This option limits the maximum number of
> files uploaded per request.
> --snap--
>
> More information:
> http://seclists.org/fulldisclosure/2009/Nov/228
>
> Regards
> Racke
>
> --
> LinuXia Systems => http://www.linuxia.de/
> Expert Interchange Consulting and System Administration
> ICDEVGROUP => http://www.icdevgroup.org/
> Interchange Development Team
>
>
> _______________________________________________
> interchange-users mailing list
> interchange-users [at] icdevgroup
> http://www.icdevgroup.org/mailman/listinfo/interchange-users


_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

Interchange users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.