httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] A newbie question about http post
Date Mon, 04 Oct 2010 19:30:01 GMT

----- "Pito Salas" <rps@salas.com> wrote:

> I was having a debate with a friend of mine. Can you clear this up?
> 
> Is it true that I can do an http post to any apache/httpd server and
> get it to upload a file? It would seem like an application should
> give
> permission, or at least that httpd could be configured so that an
> application needs to give permission.
> 
> In other words:
> 
> <form action="http://gmail.com/" method="post" multipart="yes">
>   <input type="file" name="big"/>
>   <input type="submit" value="go"/>
> </form>
> 
> Will the server accept and process all the gazillion bits of the file
> even if no application has said it wants it?
> 
> I know it's probably a dumb question (he says it is) but it seems to
> be such a big opening for a DOS attack that I can't believe it's
> possible.

Why not just try it out?

i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % dd if=/dev/urandom of=zomg.big
bs=4096 count=40096
40096+0 records in
40096+0 records out
164233216 bytes (164 MB) copied, 45.7197 s, 3.6 MB/s

i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % curl -vid @zomng.big http://httpd.bblan
2>&1 | less                                                                       
                                                         
Warning: Couldn't read data from file "zomng.big", this makes an empty POST.


meh..

i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % base64 < zomg.big > big.txt
                     
i.galic@phoenix ~/Projects/asf/httpd (svn)-[trunk:1004125] % curl -vid @big.txt http://httpd.bblan
2>&1 | less
* About to connect() to httpd.bblan port 80 (#0)
*   Trying 127.0.1.3...   % Total    % Received % Xferd  Average Speed   Time    Time    
Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0connected
* Connected to httpd.bblan (127.0.1.3) port 80 (#0)
> POST / HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4
libidn/1.18
> Host: httpd.bblan
> Accept: */*
> Content-Length: 22369624
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
< HTTP/1.1 100 Continue
} [data not shown]
^M 48  208M    0     0   48  101M      0   104M  0:00:01 --:--:--  0:00:01  104M< HTTP/1.1
200 OK
< Date: Mon, 04 Oct 2010 19:27:36 GMT
< Server: Apache/2.2.16 (Ubuntu)
< Accept-Ranges: bytes
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
< 
{ [data not shown]
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Mon, 04 Oct 2010 19:27:36 GMT
Server: Apache/2.2.16 (Ubuntu)
Accept-Ranges: bytes
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html


> Thanks for any insights (or references where the answer is explained)

Check the RFC (2616) itself.. It should say something like:
If a request type is not forbidden, it's allowed.

That might be one of the reason why Paul Querna wrote mod_allowmethods for
ASF Infra ( https://svn.apache.org/repos/asf/httpd/sandbox/mod_allowmethods/ )

> - Pito
> 
> -- 
> Check out http://www.salas.com and http://www.blogbridge.com/look
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

i
-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message