<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16825" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=421544223-09062009><FONT face=Arial
color=#0000ff size=2>Hi Mika</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=421544223-09062009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=421544223-09062009><FONT face=Arial
color=#0000ff size=2>This was a very interesting post, raising questions
on an issue I haven't even thought about. I'm really looking
forward to hear what the experts have to say about
this.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=421544223-09062009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=421544223-09062009><FONT face=Arial
color=#0000ff size=2>Cheers,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=421544223-09062009><FONT face=Arial
color=#0000ff size=2>Paul</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> opencms-dev-bounces@opencms.org
[mailto:opencms-dev-bounces@opencms.org] <B>On Behalf Of </B>Mika
Salminen<BR><B>Sent:</B> 9. juni 2009 21:42<BR><B>To:</B>
opencms-dev@opencms.org<BR><B>Subject:</B> [opencms-dev] DOS attacks made
possible by image scaling?<BR></FONT><BR></DIV>
<DIV></DIV>Hello,<BR><BR>OpenCms image scaling with request parameters (I.E.
<A
href="http://your.url/image.jpeg?__scale=w:50,h:50">http://your.url/image.jpeg?__scale=w:50,h:50</A>)
is nice feature and allows for example easy thumbnail generation. But I
believe that it provides multiple possibilities for a malicious user to play
around. <BR><BR>Basic attacks could possibly be done as easily as just
requesting the image with many different parameters many times in a
row.<BR><BR>For example:<BR><BR><A
href="http://your.url/image.jpeg?__scale=w:1,h:1">http://your.url/image.jpeg?__scale=w:1,h:1</A><BR><A
href="http://your.url/image.jpeg?__scale=w:1,h:2">http://your.url/image.jpeg?__scale=w:1,h:2</A><BR><A
href="http://your.url/image.jpeg?__scale=w:1,h:3">http://your.url/image.jpeg?__scale=w:1,h:3</A><BR>...<BR><A
href="http://your.url/image.jpeg?__scale=w:1024,h:767">http://your.url/image.jpeg?__scale=w:1024,h:767</A><BR><BR>This
would cause OpenCms to create and write to cache a new version of the image
(of course if image with given parameters does already exist in cache it is
not recreated).<BR><BR>Introduced kind of attack could cause performance
problems for the server (I assume that the image processing is not very
cheap), but it can also cause nasty things to happen in cache. For example if
there is a published 1024x768 JPEG image on a OpenCms website malicious user
can request for all the 1024*768=786432 size variations of the image thus
creating ~14GB data to disk (Assumptions: 1byte/pixel, average JPEG
compression ratio 1:10. You can check my calculations in attached java code).
And of course if there are more than one image on the site, attack can be done
for them too (other resize parameters could work too, haven't
checked...).<BR><BR>The point is that creating large amounts of data to cache
is easily possible for malicious users. Filling the disk can in many cases put
down the whole server.<BR><BR>At least partial resolution for this problem
could be limiting the image cache size and making it for example LRU style (I
could not find that limiting is done already). This does not of course prevent
possible performance DOS attack and also the cache could be rendered useless
by the attacker.<BR><BR>Other options I could think of seem more complicated
and would probably require the available image sizes to be known before render
time. <BR><BR>So tell me what you think about all this? Am I correct or do I
miss something?<BR><BR>-Mika<BR><BR><BR></BLOCKQUOTE></BODY></HTML>