oss-sec mailing list archives

Re: CVE request: php 5.3.1 - "max_file_uploads" [was: Re: [oss-security] CVE request: php 5.3.1 update]

From: Josh Bressers <bressers () redhat com>
Date: Mon, 23 Nov 2009 14:51:28 -0500 (EST)

CVE-2009-4017

PHP versions before 5.3.1 contain a flow in the way multipart/form-data
handled file upload requests. A user making a specially crafted request could
cause the web server to consume resources processing the request.

http://www.php.net/releases/5_3_1.php
http://marc.info/?l=full-disclosure&m=125871907031725&w=2

Thanks.

-- 
    JB

----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:

Eren Türkay wrote:

On Friday 20 November 2009 12:41:50 pm Thomas Biege wrote:

* Added "max_file_uploads" INI directive, which can be set to limit

the

number of file uploads per-request to 20 by default, to prevent

possible

DOS via temporary file exhaustion.


Bogdan Calin disclosed the details about that vulnerability on

full-disclosure

mailing list. He didn't disclosed his script but I wrote a PoC that

works like

a charm. It makes DoS possible for any server that runs PHP within 1

minute

with a few requests.

Additionally, this vulnerability affects 5.2.11. I guess all

products before

PHP 5.3.1 are vulnerable.

I think this deserves CVE Id. Any ideas?


   Josh, could you please allocate one?

Also changed the topic to match only 'php 5.3.1 - "max_file_uploads"'
thing,
so it isn't lost in other mails.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE request: php 5.3.1 update Thomas Biege (Nov 20)
- Re: CVE request: php 5.3.1 update Joe Orton (Nov 20)
  - Re: CVE request: php 5.3.1 update Tomas Hoger (Nov 20)
- Re: CVE request: php 5.3.1 update Eren Türkay (Nov 20)
  - Re: CVE request: php 5.3.1 - "max_file_uploads" [was: Re: [oss-security] CVE request: php 5.3.1 update] Jan Lieskovsky (Nov 23)
    - Re: CVE request: php 5.3.1 - "max_file_uploads" [was: Re: [oss-security] CVE request: php 5.3.1 update] Josh Bressers (Nov 23)
- Re: CVE request: php 5.3.1 update security curmudgeon (Nov 21)
  - Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update] Jan Lieskovsky (Nov 23)
    - Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update] Josh Bressers (Nov 23)