sbehrens
commented
7 years ago Hi @edwilded,
Are you running the server in production mode (fronted by Nginx and MySQL instead of SQLite?).
Closed ewilded closed 7 years ago
sbehrens
commented
7 years ago Hi @edwilded,
Are you running the server in production mode (fronted by Nginx and MySQL instead of SQLite?).
ewilded
commented
7 years ago Nope, that's a test instance ran from docker.
sbehrens
commented
7 years ago That sounds like some issue with pillow or pil, possibly missing some dependencies which are resulting in the exception.
Can you try the following (within the virtualenv):
source sleepyenv/bin/activate
pip uninstall Pillow
sudo apt-get install libjpeg-dev zlib1g-dev
pip install -I PillowOnce we clear up the error you are seeing we can dig a bit into the DoS and see if that's related to the embedded python server, sqlite, or the application code. I'd be happy to try this out on my production deployment if you can provide a reference image upload (feel free to export your burp state (anonymized if needed)) and I could give it a try.
ewilded
commented
7 years ago Fair enough - dependencies installed; crash is gone :)
sbehrens
commented
7 years ago Great, I'll update the docs to include those deps.
The /up page taking uploaded screenshots is somehow susceptible to a denial of service condition. After sending precisely 27 screenshot-uploading requests the server application crashes. Repeated multiple times with different filenames and contents - there was no difference, it kept crashing exactly after the 27-th request. An output from Intruder (which was used to perform the crash) along with the console output provided on a screenshot (by the way, I am not sure if its zip-encoder related - I keep getting that error message every time I upload a valid image)