• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Design issue Discouraged users can shut down all php daemons

Jawsh

Formerly null0
#1
Code:
        // random loading delay
        if ($options->discourageDelay['max'])
        {
            usleep(mt_rand($options->discourageDelay['min'], $options->discourageDelay['max']) * 1000000);
        }
Code:
        if ($this->_request->isPost() && $delay = XenForo_Application::get('options')->delayPostResponses)
        {
            usleep($delay * 1000000);
        }
Because of how sleep() works, a disgruntled discouraged user can launch (n = pm.max_children) requests simultaneously and lock up the entire server until the delay is over. This makes application level DoS attacks t r i v i a l.
 

Mike

XenForo developer
Staff member
#2
There's literally nothing that we can do about this in PHP. It's very dependent on your server setup and, of course, how you use this particular option. The same argument would apply if you find any sort of semi-slow to generate page.

I'd also note that your second example is a debugging option, not one that's exposed to end users.
 

Jawsh

Formerly null0
#3
There's literally nothing that we can do about this in PHP. It's very dependent on your server setup and, of course, how you use this particular option. The same argument would apply if you find any sort of semi-slow to generate page.

I'd also note that your second example is a debugging option, not one that's exposed to end users.
Make it so that if Memcache is enabled, an IP-specific token is set for the lifetime of the pause and subsequent requests within that token's lifetime cause the page to instantly 500.