[opencms-dev] DOS attacks made possible by image scaling?

Mika Salminen mika.j.salminen at gmail.com
Tue Jun 9 21:41:35 CEST 2009


Hello,

OpenCms image scaling with request parameters (I.E.
http://your.url/image.jpeg?__scale=w:50,h:50) is nice feature and allows for
example easy thumbnail generation. But I believe that it provides multiple
possibilities for a malicious user to play around.

Basic attacks could possibly be done as easily as just requesting the image
with many different parameters many times in a row.

For example:

http://your.url/image.jpeg?__scale=w:1,h:1
http://your.url/image.jpeg?__scale=w:1,h:2
http://your.url/image.jpeg?__scale=w:1,h:3
...
http://your.url/image.jpeg?__scale=w:1024,h:767

This would cause OpenCms to create and write to cache a new version of the
image (of course if image with given parameters does already exist in cache
it is not recreated).

Introduced kind of attack could cause performance problems for the server (I
assume that the image processing is not very cheap), but it can also cause
nasty things to happen in cache. For example if there is a published
1024x768 JPEG image on a OpenCms website malicious user can request for all
the 1024*768=786432 size variations of the image thus creating ~14GB data to
disk (Assumptions: 1byte/pixel, average JPEG compression ratio 1:10. You can
check my calculations in attached java code). And of course if there are
more than one image on the site, attack can be done for them too (other
resize parameters could work too, haven't checked...).

The point is that creating large amounts of data to cache is easily possible
for malicious users. Filling the disk can in many cases put down the whole
server.

At least partial resolution for this problem could be limiting the image
cache size and making it for example LRU style (I could not find that
limiting is done already). This does not of course prevent possible
performance DOS attack and also the cache could be rendered useless by the
attacker.

Other options I could think of seem more complicated and would probably
require the available image sizes to be known before render time.

So tell me what you think about all this? Am I correct or do I miss
something?

-Mika
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090609/ebd0db33/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ImageSize.java
Type: text/x-java
Size: 533 bytes
Desc: not available
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090609/ebd0db33/attachment.java>


More information about the opencms-dev mailing list