Jawsh
Active member
Code:
// random loading delay
if ($options->discourageDelay['max'])
{
usleep(mt_rand($options->discourageDelay['min'], $options->discourageDelay['max']) * 1000000);
}
Code:
if ($this->_request->isPost() && $delay = XenForo_Application::get('options')->delayPostResponses)
{
usleep($delay * 1000000);
}
Because of how sleep() works, a disgruntled discouraged user can launch (n = pm.max_children) requests simultaneously and lock up the entire server until the delay is over. This makes application level DoS attacks t r i v i a l.