Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
File Upload issue
Posted by: gunwant_s
Date: April 09, 2009 04:59AM

Hi,

I was sizing up one of the very underestimated risk associated with the 'upload' feature in applications of different platforms. To elucidate, let me give you an example:

An application has an upload feature which allows files no bigger than 2MB. Now if you try to upload a file bigger than that, it will exhibit a message saying 'not allowed to upload big files'. Now if you analyze the server carefully, you will see the whole file gets uploaded to the Temporary folder first and then it will check if it is bigger than 2 MB. Following that if a malicious user automate this process and submit multiple requests (in thousands or more), that can be a possible cause of DoS as the server space will be occupied.

My question is how to mitigate this. Any thoughts?

Options: ReplyQuote
Re: File Upload issue
Posted by: PaPPy
Date: April 09, 2009 08:53AM

instead of copying it first use php commands to check the size of the file...

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: File Upload issue
Posted by: nEUrOO
Date: April 09, 2009 10:21AM

yeah but it will still be in the temporary directory; you can, of course, delete the file with the script if it's too big, etc.

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: File Upload issue
Posted by: lightos
Date: April 09, 2009 12:50PM

One thing to look out for is a decompression bomb ("Zip of Death"). Compressing thousands of Terabytes
into a couple of Megabytes and then letting the server try and handle the file, may be an easier way
of crashing the server.

Options: ReplyQuote
Re: File Upload issue
Posted by: barbarianbob
Date: April 09, 2009 03:36PM

LimitRequestBody 2097152

In the .htaccess. It checks the content-length before it even attempts to upload the file.

Options: ReplyQuote
Re: File Upload issue
Posted by: Kyo
Date: April 11, 2009 03:34AM

in PHP, you can set a maximal allowed filesize, which is usually somewhere from 2 to 16 mb, so yeah.

Options: ReplyQuote
Re: File Upload issue
Posted by: gunwant_s
Date: April 11, 2009 01:12PM

Thank you all for your responses.

@barbarianbob:
Do you mean by .htaccess configuration it won't even upload the file in the Temporary directory but will check the content-length? Can you please elaborate on what you said?

Thanks



Edited 1 time(s). Last edit at 04/11/2009 01:15PM by gunwant_s.

Options: ReplyQuote
Re: File Upload issue
Posted by: barbarianbob
Date: April 11, 2009 07:08PM

Apache checks the content-length header and makes sure it falls within LimitRequestBody.
If not, it returns a "413 Request Entity Too Large" error and truncates the post data, so files are never uploaded.

Some code:
http://127.0.0.1/attack/limitRequestBody/.htaccess
LimitRequestBody 2097152
#^this is 1024*1024*2

http://127.0.0.1/attack/limitRequestBody/a.php
<?php
define('LF',"\n");
define('BR','<br />'.LF);
define('CRLF',"\r\n");

$host = '127.0.0.1';
$postLen=1024*1024*2; // change this to 1024*1024*2+1 later

$url='/attack/limitRequestBody/b.php';

//the following sets up post data with an uploaded file and padded to length $postLen
$postPart1='-------------------------------26457597255589711'.CRLF
  .'Content-Disposition: form-data; name="upload"; filename="upload.txt"'.CRLF
  .'Content-Type: text/plain'.CRLF
  .CRLF
  .'I\'m an uploaded file!'.CRLF
  .'-------------------------------26457597255589711'.CRLF
  .'Content-Disposition: form-data; name="a";'.CRLF
  .CRLF;
$postPart3=CRLF
  .'-------------------------------26457597255589711--'.CRLF;
$postPart2=str_repeat('A',$postLen-strlen($postPart1)-strlen($postPart3));

$post=$postPart1.$postPart2.$postPart3; //strlen($post)==$postLen

//sets up the headers
$headers='POST '.$url.' HTTP/1.1'.CRLF
  .'host: '.$host.CRLF
  .'connection: close'.CRLF
  .'content-type: multipart/form-data; boundary=-----------------------------26457597255589711'.CRLF
  .'content-length: '.strlen($post).CRLF
  .'cookie:'.CRLF
  .CRLF
  .$post;

//sends the headers
$handle=fsockopen($host,80);
fwrite($handle,$headers);

//echos apache's response
while(!feof($handle)){
  echo nl2br(fgets($handle));
}
fclose($handle);
?>

http://127.0.0.1/attack/limitRequestBody/b.php
<?php
var_dump($_FILES);
?>


Set up those files and run http://127.0.0.1/attack/limitRequestBody/a.php
It sends $postLen bytes worth of post data to b.php and echoes the response.
b.php dumps $_FILES info.
So when $postLen is 1024*1024*2, all as is should be.
But if you change it's value to 1024*1024*2+1, apache responds with a "413 Request Entity Too Large" (but still runs b.php). In this case, b.php dumps a blank array, which is evidence that the post data was truncated.
For further proof, add sleep(5); to b.php you can keep F5-ing in your tmp folder. A temp file will be added if you get a regular 200 response but will not show up if you get a 413 response.



Edited 1 time(s). Last edit at 04/11/2009 07:10PM by barbarianbob.

Options: ReplyQuote
Re: File Upload issue
Posted by: gunwant_s
Date: April 21, 2009 10:46AM

Interesting!
Any idea about how to mitigate this risk in .NET applications?

Options: ReplyQuote
Re: File Upload issue
Posted by: thrill
Date: April 21, 2009 11:24AM

Yes! The way to mitigate risks in .NET applications is to install apache and use PHP! :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote


Sorry, only registered users may post in this forum.