Zeronet: [PLEASE, DON'T IGNORE] Zero proxies vulnerability

I have written about the problem to bit.no.com in feedback form, and in ZeroTalk. Anybody from proxy admin, please, read this.

Normal benchmark: http://bit.no.com:43110/Benchmark

Benchmarking ZeroNet 0.3.6 (rev989) Python 2.7.6 (default, Jun 22 2015, 17:58:13) [GCC 4.8.2] on: linux2...

CryptBitcoin:
- hdPrivatekey x 10..........0.301s [x2.33: Fast]
- sign x 10..........0.164s [x2.14: Fast]
- openssl verify x 100...not avalible :(
- pure-python verify x 10..........0.620s [x2.58: WOW]

CryptHash:
- sha256 5M x 10..........0.426s [x1.41: Fine]
- sha512 5M x 10..........0.270s [x2.22: Fast]
- os.urandom(256) x 100 000..........3.200s [x0.20: Sloooow]

Msgpack:
- pack 5K x 10 000..........0.512s [x1.52: Fine]
- unpack 5K x 10 000..........0.538s [x2.23: Fast]
- streaming unpack 5K x 10 000..........0.591s [x2.37: Fast]

Db:
- Open x 10..........0.049s [x2.64: WOW]
- Insert x 10 x 1000..........0.923s [x1.08: OK]
- Buffered insert x 100 x 100..........0.861s [x1.51: Fine]
- Total rows in db: 20000
- Indexed query x 1000..........0.125s [x1.99: Fast]
- Not indexed query x 100..........0.388s [x1.55: Fine]
- Like query x 100..........0.911s [x1.98: Fast]

Done. Total: 10.69s

The results after manual attack from 6 browser window:

Benchmarking ZeroNet 0.3.6 (rev989) Python 2.7.6 (default, Jun 22 2015, 17:58:13) [GCC 4.8.2] on: linux2...

CryptBitcoin:
- hdPrivatekey x 10..........0.242s [x2.89: WOW]
- sign x 10..........0.076s [x4.63: Insane!!]
- openssl verify x 100...not avalible :(
- pure-python verify x 10..........0.370s [x4.33: Insane!!]

CryptHash:
- sha256 5M x 10..........0.419s [x1.43: Fine]
- sha512 5M x 10..........0.283s [x2.12: Fast]
- os.urandom(256) x 100 000..........3.636s [x0.18: Sloooow]

Msgpack:
- pack 5K x 10 000..........0.323s [x2.42: Fast]
- unpack 5K x 10 000..........0.559s [x2.15: Fast]
- streaming unpack 5K x 10 000..........0.620s [x2.26: Fast]

Db:
- Open x 10..........0.051s [x2.53: WOW]
- Insert x 10 x 1000..........0.651s [x1.54: Fine]
- Buffered insert x 100 x 100..........0.987s [x1.32: Fine]
- Total rows in db: 20000
- Indexed query x 1000..........0.130s [x1.92: Fast]
- Not indexed query x 100..........0.277s [x2.16: Fast]
- Like query x 100..........0.938s [x1.92: Fast]

Done. Total: 62.52s

Proxy is had been staying in "Denial of Service" at this time.

PLEASE, DISABLE STATS PLUGIN IN PROXIES!!!!

I guess until this is fixed people running proxies can put them behind nginx or apache and just disable access to /Benchmark?

Are there docs for setting up proxies? Maybe a good/easy first step is a PR into the docs with this warning and a guide on restricting access to /Benchmarks in nginx & apache?

Actually it looks like you can disable it yourself:
https://github.com/HelloZeroNet/ZeroNet/blob/master/src/Plugin/PluginManager.py#L29-L30
add "disabled_" to the directory name of /plugins/Stats (e.g: /plugins/disabled_Stats)... Or I guess just remove the directory.

fixed ? https://github.com/HelloZeroNet/ZeroNet/commit/fbfa0f37175b15fac40af5952ac175a58bf44bc9

@HelloZeroNet Close?