[PHP] Re: How to prevent DoS on PHP script?

Wed, 18 Jun 2008 09:03:17 -0700 

Hello Nitsan and Andrew,
Am 2008-06-16 13:20:14, schrieb Andrew Ballard:
> On Mon, Jun 16, 2008 at 1:01 PM, Nitsan Bin-Nun <[EMAIL PROTECTED]> wrote:
> > I think you can handle this with 2 pages, the first is checking whether the
> > user is permitted to upload or not and if so passing him to the upload form
> > with a simple (bool) $_SESSION variable which indicates his permissions.
> > If you will try to access the second page and the $_SESS variable won't
> > exist it will throw you back to page 1 to validate your permissions.
> >
> > Am I missing something? (its pretty simple..)
> >
> > HTH
> 
> Yes, it's missing something. There is nothing in this approach to
> prevent the remote client from attempting to access the second page
> directly. Even if they do not have the valid $_SESSION variable set,
> the server will still receive the entire uploaded content before
> passing control to the PHP script to validate permissions. In a DoS
> attack, the attacker doesn't care whether the request is actually
> allowed; only that resources were consumed in handling the request.
> It's still the "chicken and egg" problem already described in this
> thread.

OK I was thinking about it but IF a $UPLOADER go to

    http://domain/index.php

and then click the link

    http://domain/mirror_admin.php

which set a cookie and then the $UPLOADER must click a link where he/she
get the page

    http://domain/mirror_upload.php

before the page is displayed, PHP could check the cookie right?
If the cookie is valid, it show the Form, if not the potential Uploader
get a long nose.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    24V Electronic Engineer
    Tamay Dogan Network
    Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
+49/177/9351947    50, rue de Soultz         MSN LinuxMichi
+33/6/61925193     67100 Strasbourg/France   IRC #Debian (irc.icq.com)

Attachment: signature.pgp
Description: Digital signature

Reply via email to