Announcement

Collapse
No announcement yet.

possible DoS when displaying large threads

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    possible DoS when displaying large threads

    Pretty considerable bug one of my users discovered today.

    On large threads, it's possible to bring the server to it's knees by modifying a URL to display all replies on one page.

    Example:

    Thread has > 2,000 replies
    user crafts a URL to show all 2,000 replies per page, or more, depending on size of thread

    http://www.forumname.net/showthread....perpage=######

    server processes the request and will be brought down due to high loads
    Tags: None
  • #2
    that's fixed in vB 2.2.7 so best to upgrade

    i noticed your vB copyright text at http://www.hosthome.net/1400smith/ is not properly showing (masked by background colour) as required by vB licensing requirements ... best to fix that up when you finish upgrading
    :: Always Back Up Forum Database + Attachments BEFORE upgrading !
    :: Nginx SPDY SSL - World Flags Demo [video results]
    :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

    Comment

    • #3
      do you know where the exact fix is? i don't have time to do a full upgrade to 2.2.7 becuase of the changes they made.

      Comment

      • #4
        showthread.php

        PHP Code:
        if ($perpage 1) { 
            if (        $bbuserinfo[maxposts]!=-and $bbuserinfo[maxposts]!=0)        { 
                        $perpage $bbuserinfo[maxposts]; 
            } else {
                        $perpage $maxposts;
            }

        becomes

        PHP Code:
        $umaxposts explode(','$usermaxposts ",$maxposts");
        $newmaxposts max($umaxposts);
        if (        $perpage or $perpage $newmaxposts) {
            if (        $bbuserinfo['maxposts']!=-and $bbuserinfo['maxposts']!=and $bbuserinfo['maxposts'] <= $newmaxposts)    {
                        $perpage $bbuserinfo['maxposts'];
            } else {
                        $perpage $maxposts;
            }

        Scott MacVicar

        My Blog | Twitter

        Comment

        • #5
          muchos gracias

          Comment

          Previous template Next
          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...
          X