On 7/8/06, Erik Moeller eloquence@gmail.com wrote:
The archive could also contain a large number of files of normally acceptable size (e.g. 100*1MB). Finally, keep in mind that an attacker could upload multiple ZIP files in a row to spam the server.
Both of these problems may be less serious if temporary files are thrown away immediately if they are not valid files. It's probably still possible to generate huge files that pass the MIME check, but not something a typical skript kiddy could easily do.
Erik