[opencms-dev] DOS attacks made possible by image scaling?

Claus Priisholm cpr at codedroids.com
Wed Jun 10 10:21:40 CEST 2009 

Ideally the parameters should be encrypted or better yet hashed so only 
the combinations of parameters known to the server are accepted. There 
is already some of this going on as the resulting images are cached with 
an unique id. But it may not be easy. I haven't looked that much at the 
code involved.

But there is a couple of things you can do. In the opencms-vfs.xml you 
can disable the function by setting image.scaling.enabled = false.
And, if you need it, you can set the image.scaling.maxsize to whatever 
is the maximum you need, Often I find that the function is only used for 
making thumbnails and in that case you may get away with a maxsize = 64 
pixels or likewise rather than the default 1500 pixels. At least that 
helps minimize the severity of a DOS attempt

Paul-Inge Flakstad wrote:
> Hi Mika
>  
> This was a very interesting post, raising questions on an issue I 
> haven't even thought about. I'm really looking forward to hear what the 
> experts have to say about this.
>  
> Cheers,
> Paul
> 
>     ------------------------------------------------------------------------
>     *From:* opencms-dev-bounces at opencms.org
>     [mailto:opencms-dev-bounces at opencms.org] *On Behalf Of *Mika Salminen
>     *Sent:* 9. juni 2009 21:42
>     *To:* opencms-dev at opencms.org
>     *Subject:* [opencms-dev] DOS attacks made possible by image scaling?
> 
>     Hello,
> 
>     OpenCms image scaling with request parameters (I.E.
>     http://your.url/image.jpeg?__scale=w:50,h:50) is nice feature and
>     allows for example easy thumbnail generation. But I believe that it
>     provides multiple possibilities for a malicious user to play around.
> 
>     Basic attacks could possibly be done as easily as just requesting
>     the image with many different parameters many times in a row.
> 
>     For example:
> 
>     http://your.url/image.jpeg?__scale=w:1,h:1
>     http://your.url/image.jpeg?__scale=w:1,h:2
>     http://your.url/image.jpeg?__scale=w:1,h:3
>     ...
>     http://your.url/image.jpeg?__scale=w:1024,h:767
> 
>     This would cause OpenCms to create and write to cache a new version
>     of the image (of course if image with given parameters does already
>     exist in cache it is not recreated).
> 
>     Introduced kind of attack could cause performance problems for the
>     server (I assume that the image processing is not very cheap), but
>     it can also cause nasty things to happen in cache. For example if
>     there is a published 1024x768 JPEG image on a OpenCms website
>     malicious user can request for all the 1024*768=786432 size
>     variations of the image thus creating ~14GB data to disk
>     (Assumptions: 1byte/pixel, average JPEG compression ratio 1:10. You
>     can check my calculations in attached java code). And of course if
>     there are more than one image on the site, attack can be done for
>     them too (other resize parameters could work too, haven't checked...).
> 
>     The point is that creating large amounts of data to cache is easily
>     possible for malicious users. Filling the disk can in many cases put
>     down the whole server.
> 
>     At least partial resolution for this problem could be limiting the
>     image cache size and making it for example LRU style (I could not
>     find that limiting is done already). This does not of course prevent
>     possible performance DOS attack and also the cache could be rendered
>     useless by the attacker.
> 
>     Other options I could think of seem more complicated and would
>     probably require the available image sizes to be known before render
>     time.
> 
>     So tell me what you think about all this? Am I correct or do I miss
>     something?
> 
>     -Mika
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev

-- 
Claus Priisholm, CodeDroids ApS
Phone: +45 48 22 46 46
cpr (you know what) codedroids.com - http://www.codedroids.com
cpr (you know what) interlet.dk - http://www.interlet.dk
-- 
Javadocs and other OpenCms stuff: 
http://www.codedroids.com/community/opencms

More information about the opencms-dev mailing list