[ic] Multipart Form Data Denial of Service

Gert van der Spoel gert at 3edge.com
Tue Dec 15 21:16:25 UTC 2009

> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org [mailto:interchange-
> users-bounces at icdevgroup.org] On Behalf Of Stefan Hornburg (Racke)
> Sent: Thursday, November 26, 2009 10:04 AM
> To: interchange-users at icdevgroup.org
> Subject: [ic] Multipart Form Data Denial of Service
> Hello Interchange enthusiasts,
> This morning I upgraded PHP5 packages on Debian machines. While reading
> the security
> advisory I wondered whether Interchange or other web applications are
> affected
> by this DOS type:

Interchange as far as I understand lib/Vend/Server.pm  reads the query
string and parses that and puts data in variables without writing to disk or
creating (temporary) files.

Other (perl) web applications often work with CGI.pm and I believe that
writes a single tmp file which is then dissected.

No doubt there are ways to get Interchange on its knees, but the
max_file_uploads I do not expect to be one of them.



> --snip--
> Bogdan Calin discovered that a remote attacker could cause a denial of
> service by uploading a large number of files in using multipart/ form-
> data requests,
> causing the creation of a large number of temporary files.
> To address this issue, the max_file_uploads option introduced in PHP
> 5.3.1 has been backported. This option limits the maximum number of
> files uploaded per request.
> --snap--
> More information:
> http://seclists.org/fulldisclosure/2009/Nov/228
> Regards
>          Racke
> --
> LinuXia Systems => http://www.linuxia.de/
> Expert Interchange Consulting and System Administration
> ICDEVGROUP => http://www.icdevgroup.org/
> Interchange Development Team
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users

More information about the interchange-users mailing list