[21340] in bugtraq
Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
daemon@ATHENA.MIT.EDU (Stephen Cope)
Wed Jul 4 16:58:19 2001
Date: Wed, 4 Jul 2001 19:04:40 +1200
From: Stephen Cope <mail-e-f3dcc3d8d97d43de3a@kimihia.org.nz>
To: bugtraq@securityfocus.com
Message-ID: <20010704190440.A12895@mess.kimihia.org.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
: Please read that again if that doesn't make you blink, a remote user can
: send any file they wish to a PHP enabled machine and before a script has
The maximum file size is also specified in the PHP configuration, and can
also be specified in the Apache configuration too.
PHP: upload_max_filesize
Apache: LimitRequestBody
: even specified whether or not it accepts file uploads that file is SAVED on
: the local disk.
Yes, and it is deleted once the script has completed executing.
: I'm going to ignore any resource exhaustion attacks that may or may not be
: possible using file upload functionality, I think they're fairly limited if
: not impossible in any case.
Resource exhaustion? Maximum possible resource usage is:
min(upload_max_filesize, LimitRequestBody) * MaxClients
In the case of one server, this would be:
min(2M, 4M) * 200 = 400MB
Easily launched with the Apache benchmarking tool, but dependant on the
bandwidth between the attacker and the attacked:
ab -c 200 -n 200 -p 2mb_of_data.txt http://host/
I don't see it as a problem, not even over a Fast Ethernet connection.
: This form input will provide exactly the variables the PHP scripts expects
: to be set by PHP, but instead of working on an uploaded file the script will
Use is_uploaded_file and move_uploaded_file instead. They aren't fooled.
Turu.
--
Stephen Cope - http://sdc.org.nz/
