Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas, linux raid resync after reboot

Links

XODOX
Impressum

#1: A newbie question about http post

Posted on 2010-10-04 20:23:28 by Pito Salas

I was having a debate with a friend of mine. Can you clear this up?

Is it true that I can do an http post to any apache/httpd server and
get it to upload a file? It would seem like an application should give
permission, or at least that httpd could be configured so that an
application needs to give permission.

In other words:

<form action=3D"http://gmail.com/" method=3D"post" multipart=3D"yes">
=A0<input type=3D"file" name=3D"big"/>
=A0<input type=3D"submit" value=3D"go"/>
</form>

Will the server accept and process all the gazillion bits of the file
even if no application has said it wants it?

I know it's probably a dumb question (he says it is) but it seems to
be such a big opening for a DOS attack that I can't believe it's
possible.

Thanks for any insights (or references where the answer is explained)

- Pito

--=20
Check out http://www.salas.com and http://www.blogbridge.com/look

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Report this message

#2: Re: A newbie question about http post

Posted on 2010-10-04 20:32:07 by fakessh

--=-aDzOolw18c3kSZgWddMZ
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

use the ajax librairie for upload
and active the javascript into the formulaire and control all the
variables to the upload

it's nice way

<anonymous>
Le lundi 04 octobre 2010 à 14:23 -0400, Pito Salas a écrit :
> I was having a debate with a friend of mine. Can you clear this up?
>=20
> Is it true that I can do an http post to any apache/httpd server and
> get it to upload a file? It would seem like an application should give
> permission, or at least that httpd could be configured so that an
> application needs to give permission.
>=20
> In other words:
>=20
> <form action=3D"http://gmail.com/" method=3D"post" multipart=3D"yes">
> <input type=3D"file" name=3D"big"/>
> <input type=3D"submit" value=3D"go"/>
> </form>
>=20
> Will the server accept and process all the gazillion bits of the file
> even if no application has said it wants it?
>=20
> I know it's probably a dumb question (he says it is) but it seems to
> be such a big opening for a DOS attack that I can't believe it's
> possible.
>=20
> Thanks for any insights (or references where the answer is explained)
>=20
> - Pito
>=20
--=20
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x0921 64A7


gpg --keyserver pgp.mit.edu --recv-key 092164A7

--=-aDzOolw18c3kSZgWddMZ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBMqh2ntXI/OwkhZKcRAlGkAJ0Tqn/JenTZBEkG2v5wXpwTuRaQzgCf XtjQ
ki9Dz+RH1fAhC2KL3OJNYC8=
=xUsk
-----END PGP SIGNATURE-----

--=-aDzOolw18c3kSZgWddMZ--

Report this message

#3: Re: A newbie question about http post

Posted on 2010-10-04 21:30:01 by i.galic

----- "Pito Salas" <rps@salas.com> wrote:

> I was having a debate with a friend of mine. Can you clear this up?
>=20
> Is it true that I can do an http post to any apache/httpd server and
> get it to upload a file? It would seem like an application should
> give
> permission, or at least that httpd could be configured so that an
> application needs to give permission.
>=20
> In other words:
>=20
> <form action=3D"http://gmail.com/" method=3D"post" multipart=3D"yes">
> à<input type=3D"file" name=3D"big"/>
> à<input type=3D"submit" value=3D"go"/>
> </form>
>=20
> Will the server accept and process all the gazillion bits of the file
> even if no application has said it wants it?
>=20
> I know it's probably a dumb question (he says it is) but it seems to
> be such a big opening for a DOS attack that I can't believe it's
> possible.

Why not just try it out?

i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % dd if=3D/dev/u=
random of=3Dzomg.big bs=3D4096 count=3D40096
40096+0 records in
40096+0 records out
164233216 bytes (164 MB) copied, 45.7197 s, 3.6 MB/s

i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % curl -vid @zom=
ng.big http://httpd.bblan 2>&1 | less =
=
=20
Warning: Couldn't read data from file "zomng.big", this makes an empty POST=
..


meh..

i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % base64 < zomg.=
big > big.txt =20
i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % curl -vid @big=
..txt http://httpd.bblan 2>&1 | less
* About to connect() to httpd.bblan port 80 (#0)
* Trying 127.0.1.3... % Total % Received % Xferd Average Speed Ti=
me Time Time Current
Dload Upload Total Spent Left Spe=
ed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- =
0connected
* Connected to httpd.bblan (127.0.1.3) port 80 (#0)
> POST / HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.=
8o zlib/1.2.3.4 libidn/1.18
> Host: httpd.bblan
> Accept: */*
> Content-Length: 22369624
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>=20
< HTTP/1.1 100 Continue
} [data not shown]
^M 48 208M 0 0 48 101M 0 104M 0:00:01 --:--:-- 0:00:01 =
104M< HTTP/1.1 200 OK
< Date: Mon, 04 Oct 2010 19:27:36 GMT
< Server: Apache/2.2.16 (Ubuntu)
< Accept-Ranges: bytes
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
<=20
{ [data not shown]
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Mon, 04 Oct 2010 19:27:36 GMT
Server: Apache/2.2.16 (Ubuntu)
Accept-Ranges: bytes
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html


> Thanks for any insights (or references where the answer is explained)

Check the RFC (2616) itself.. It should say something like:
If a request type is not forbidden, it's allowed.

That might be one of the reason why Paul Querna wrote mod_allowmethods for
ASF Infra ( https://svn.apache.org/repos/asf/httpd/sandbox/mod_allowmeth ods=
/ )

> - Pito
>=20
> --=20
> Check out http://www.salas.com and http://www.blogbridge.com/look
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

i
--=20
Igor GaliÃÂ

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Report this message