[ic] Multipart Form Data Denial of Service
Gert van der Spoel
gert at 3edge.com
Tue Dec 15 21:16:25 UTC 2009
> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org [mailto:interchange-
> users-bounces at icdevgroup.org] On Behalf Of Stefan Hornburg (Racke)
> Sent: Thursday, November 26, 2009 10:04 AM
> To: interchange-users at icdevgroup.org
> Subject: [ic] Multipart Form Data Denial of Service
> Hello Interchange enthusiasts,
> This morning I upgraded PHP5 packages on Debian machines. While reading
> the security
> advisory I wondered whether Interchange or other web applications are
> by this DOS type:
Interchange as far as I understand lib/Vend/Server.pm reads the query
string and parses that and puts data in variables without writing to disk or
creating (temporary) files.
Other (perl) web applications often work with CGI.pm and I believe that
writes a single tmp file which is then dissected.
No doubt there are ways to get Interchange on its knees, but the
max_file_uploads I do not expect to be one of them.
> Bogdan Calin discovered that a remote attacker could cause a denial of
> service by uploading a large number of files in using multipart/ form-
> data requests,
> causing the creation of a large number of temporary files.
> To address this issue, the max_file_uploads option introduced in PHP
> 5.3.1 has been backported. This option limits the maximum number of
> files uploaded per request.
> More information:
> LinuXia Systems => http://www.linuxia.de/
> Expert Interchange Consulting and System Administration
> ICDEVGROUP => http://www.icdevgroup.org/
> Interchange Development Team
> interchange-users mailing list
> interchange-users at icdevgroup.org
More information about the interchange-users