Posted by christefano on April 6, 2009 at 6:43pm
Jump to:
| Project: | Knurl |
| Version: | 6.x-1.0 |
| Component: | Miscellaneous |
| Category: | feature request |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | postponed |
Issue Summary
It seems pretty easy to DoS a site running Knurl by creating a knurl that redirects to another knurl that redirects to the first knurl.
Comments
#1
Sanitising the input when the form is validated would seem to be easy for a single site, but here's the rub:
Any 2 sites using this module could be used to DOS the other (presumably with a 'winner' and a 'loser' as one of them gets knocked off and stops DOS'ing the other.)
So hopefully a patch will take this into account as well.
- Forest Mars
#2
Anybody have an idea or patch for this?
#3
I don't really see how this can be avoided. I mean i could add validation to prevent the user from making a link from an existing link (on the specific site) but there is no way I can think of to detect if they are linking to another similar service elsewhere.
On the other hand, only users with permission can create links so the motivation to actually do this would be pretty low.
If anyone has some input or ideas let me know.
#4
#5
Can you check for the hostname in
$_SERVER['HTTP_HOST']and$_SERVER['HTTP_REFERER']before knurling the link?#6
As mentioned, fixing the "local" (single site) version of this problem is simple. I agree that it's tough to think of a valid case for exploiting this remotely, though. With that said however, it shouldn't be too hard to implement flood control on the redirected link or check the referer against the target as @christefano mentioned. If going the flood control route, I'd think it should be a configurable option.
#7
Will get to this at some point down the road, if anyone would like to patch against the current release please do so.
#8