: Please read that again if that doesn't make you blink, a remote user can : send any file they wish to a PHP enabled machine and before a script has The maximum file size is also specified in the PHP configuration, and can also be specified in the Apache configuration too. PHP: upload_max_filesize Apache: LimitRequestBody : even specified whether or not it accepts file uploads that file is SAVED on : the local disk. Yes, and it is deleted once the script has completed executing. : I'm going to ignore any resource exhaustion attacks that may or may not be : possible using file upload functionality, I think they're fairly limited if : not impossible in any case. Resource exhaustion? Maximum possible resource usage is: min(upload_max_filesize, LimitRequestBody) * MaxClients In the case of one server, this would be: min(2M, 4M) * 200 = 400MB Easily launched with the Apache benchmarking tool, but dependant on the bandwidth between the attacker and the attacked: ab -c 200 -n 200 -p 2mb_of_data.txt http://host/ I don't see it as a problem, not even over a Fast Ethernet connection. : This form input will provide exactly the variables the PHP scripts expects : to be set by PHP, but instead of working on an uploaded file the script will Use is_uploaded_file and move_uploaded_file instead. They aren't fooled. Turu. -- Stephen Cope - http://sdc.org.nz/
This archive was generated by hypermail 2b30 : Wed Jul 04 2001 - 13:59:14 PDT