Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications

[Stephen Cope <mail-e-f3dcc3d8d97d43de3a () kimihia org nz>]

: Please read that again if that doesn't make you blink, a remote user can
: send any file they wish to a PHP enabled machine and before a script has

The maximum file size is also specified in the PHP configuration, and can
also be specified in the Apache configuration too.

PHP: upload_max_filesize
Apache: LimitRequestBody

: even specified whether or not it accepts file uploads that file is SAVED on
: the local disk.

Yes, and it is deleted once the script has completed executing.

: I'm going to ignore any resource exhaustion attacks that may or may not be
: possible using file upload functionality, I think they're fairly limited if
: not impossible in any case.

Resource exhaustion? Maximum possible resource usage is:

  min(upload_max_filesize, LimitRequestBody) * MaxClients

In the case of one server, this would be:

  min(2M, 4M) * 200 = 400MB

Easily launched with the Apache benchmarking tool, but dependant on the 
bandwidth between the attacker and the attacked:

  ab -c 200 -n 200 -p 2mb_of_data.txt http://host/

I don't see it as a problem, not even over a Fast Ethernet connection.

: This form input will provide exactly the variables the PHP scripts expects
: to be set by PHP, but instead of working on an uploaded file the script will

Use is_uploaded_file and move_uploaded_file instead. They aren't fooled.

Turu.

-- 
Stephen Cope - http://sdc.org.nz/