Re: PHP "multipart/form-data" denial of service

[Moritz Naumann <security () moritz-naumann com>]

Bogdan Calin wrote:
> Description
> ------------
> PHP version 5.3.1 was just released. This release contains a patch for a
> denial of service condition we've reported on 27 October 2009. The
> problem is related with PHP's handling of RFC 1867 (Form-based File
> Upload in HTML).

Thanks for the good description and test results, Bogdan.

> Proof of concept
> -----------------
> I'm not going to publish the proof of concept Python script.
> If you have a valid reason why you would need the proof of concept, you
> can contact me at this email address (bogdan [at] acunetix.com).

Someone has apparently written one in bash:
http://www.paste-it.com/view/77958658
If testing for IT security issues wasn't practically illegalized in
Germany I might even have done it myself.

This script wasn't so effective when I tested it here, but it did work
after I spawned a couple processes. It takes it quite a while to prepare
the requests, though, and without the randomization stuff and with
> =python this could probably be done much faster.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/