Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

/proc/kallsyms format, sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas

Links

XODOX
Impressum

#1: A newbie question about http post

Posted on 2010-10-04 20:23:28 by Pito Salas

I was having a debate with a friend of mine. Can you clear this up?

Is it true that I can do an http post to any apache/httpd server and
get it to upload a file? It would seem like an application should give
permission, or at least that httpd could be configured so that an
application needs to give permission.

In other words:

<form action=3D"http://gmail.com/" method=3D"post" multipart=3D"yes">
=A0<input type=3D"file" name=3D"big"/>
=A0<input type=3D"submit" value=3D"go"/>
</form>

Will the server accept and process all the gazillion bits of the file
even if no application has said it wants it?

I know it's probably a dumb question (he says it is) but it seems to
be such a big opening for a DOS attack that I can't believe it's
possible.

Thanks for any insights (or references where the answer is explained)

- Pito

--=20
Check out http://www.salas.com and http://www.blogbridge.com/look

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Report this message

#2: Re: A newbie question about http post

Posted on 2010-10-04 20:32:07 by fakessh

--=-aDzOolw18c3kSZgWddMZ
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

use the ajax librairie for upload
and active the javascript into the formulaire and control all the
variables to the upload

it's nice way

<anonymous>
Le lundi 04 octobre 2010 à 14:23 -0400, Pito Salas a écrit :
> I was having a debate with a friend of mine. Can you clear this up?
>=20
> Is it true that I can do an http post to any apache/httpd server and
> get it to upload a file? It would seem like an application should give
> permission, or at least that httpd could be configured so that an
> application needs to give permission.
>=20
> In other words:
>=20
> <form action=3D"http://gmail.com/" method=3D"post" multipart=3D"yes">
> <input type=3D"file" name=3D"big"/>
> <input type=3D"submit" value=3D"go"/>
> </form>
>=20
> Will the server accept and process all the gazillion bits of the file
> even if no application has said it wants it?
>=20
> I know it's probably a dumb question (he says it is) but it seems to
> be such a big opening for a DOS attack that I can't believe it's
> possible.
>=20
> Thanks for any insights (or references where the answer is explained)
>=20
> - Pito
>=20
--=20
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x0921 64A7


gpg --keyserver pgp.mit.edu --recv-key 092164A7

--=-aDzOolw18c3kSZgWddMZ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBMqh2ntXI/OwkhZKcRAlGkAJ0Tqn/JenTZBEkG2v5wXpwTuRaQzgCf XtjQ
ki9Dz+RH1fAhC2KL3OJNYC8=
=xUsk
-----END PGP SIGNATURE-----

--=-aDzOolw18c3kSZgWddMZ--

Report this message

#3: Re: A newbie question about http post

Posted on 2010-10-04 21:30:01 by i.galic

----- "Pito Salas" <rps@salas.com> wrote:

> I was having a debate with a friend of mine. Can you clear this up?
>=20
> Is it true that I can do an http post to any apache/httpd server and
> get it to upload a file? It would seem like an application should
> give
> permission, or at least that httpd could be configured so that an
> application needs to give permission.
>=20
> In other words:
>=20
> <form action=3D"http://gmail.com/" method=3D"post" multipart=3D"yes">
> à<input type=3D"file" name=3D"big"/>
> à<input type=3D"submit" value=3D"go"/>
> </form>
>=20
> Will the server accept and process all the gazillion bits of the file
> even if no application has said it wants it?
>=20
> I know it's probably a dumb question (he says it is) but it seems to
> be such a big opening for a DOS attack that I can't believe it's
> possible.

Why not just try it out?

i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % dd if=3D/dev/u=
random of=3Dzomg.big bs=3D4096 count=3D40096
40096+0 records in
40096+0 records out
164233216 bytes (164 MB) copied, 45.7197 s, 3.6 MB/s

i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % curl -vid @zom=
ng.big http://httpd.bblan 2>&1 | less =
=
=20
Warning: Couldn't read data from file "zomng.big", this makes an empty POST=
..


meh..

i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % base64 < zomg.=
big > big.txt =20
i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % curl -vid @big=
..txt http://httpd.bblan 2>&1 | less
* About to connect() to httpd.bblan port 80 (#0)
* Trying 127.0.1.3... % Total % Received % Xferd Average Speed Ti=
me Time Time Current
Dload Upload Total Spent Left Spe=
ed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- =
0connected
* Connected to httpd.bblan (127.0.1.3) port 80 (#0)
> POST / HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.=
8o zlib/1.2.3.4 libidn/1.18
> Host: httpd.bblan
> Accept: */*
> Content-Length: 22369624
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>=20
< HTTP/1.1 100 Continue
} [data not shown]
^M 48 208M 0 0 48 101M 0 104M 0:00:01 --:--:-- 0:00:01 =
104M< HTTP/1.1 200 OK
< Date: Mon, 04 Oct 2010 19:27:36 GMT
< Server: Apache/2.2.16 (Ubuntu)
< Accept-Ranges: bytes
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
<=20
{ [data not shown]
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Mon, 04 Oct 2010 19:27:36 GMT
Server: Apache/2.2.16 (Ubuntu)
Accept-Ranges: bytes
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html


> Thanks for any insights (or references where the answer is explained)

Check the RFC (2616) itself.. It should say something like:
If a request type is not forbidden, it's allowed.

That might be one of the reason why Paul Querna wrote mod_allowmethods for
ASF Infra ( https://svn.apache.org/repos/asf/httpd/sandbox/mod_allowmeth ods=
/ )

> - Pito
>=20
> --=20
> Check out http://www.salas.com and http://www.blogbridge.com/look
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

i
--=20
Igor GaliÃÂ

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Report this message