1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Design Issue Discouraged users can shut down all php daemons

Discussion in 'Resolved Bug Reports' started by Jawsh, Apr 17, 2016.

  1. Jawsh

    Jawsh Formerly null0

    Code:
            // random loading delay
            if ($options->discourageDelay['max'])
            {
                usleep(mt_rand($options->discourageDelay['min'], $options->discourageDelay['max']) * 1000000);
            }
    Code:
            if ($this->_request->isPost() && $delay = XenForo_Application::get('options')->delayPostResponses)
            {
                usleep($delay * 1000000);
            }
    Because of how sleep() works, a disgruntled discouraged user can launch (n = pm.max_children) requests simultaneously and lock up the entire server until the delay is over. This makes application level DoS attacks t r i v i a l.
     
  2. Mike

    Mike XenForo Developer Staff Member

    There's literally nothing that we can do about this in PHP. It's very dependent on your server setup and, of course, how you use this particular option. The same argument would apply if you find any sort of semi-slow to generate page.

    I'd also note that your second example is a debugging option, not one that's exposed to end users.
     
  3. Jawsh

    Jawsh Formerly null0

    Make it so that if Memcache is enabled, an IP-specific token is set for the lifetime of the pause and subsequent requests within that token's lifetime cause the page to instantly 500.
     

Share This Page