Bug 540459 (CVE-2009-4017)

Summary: CVE-2009-4017 PHP: resource exhaustion attack via upload requests with lots of files
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton, kreilly, squoggle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://seclists.org/fulldisclosure/2009/Nov/228
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-05 15:43:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 541594, 541595, 541596, 541597, 541598, 541971    
Bug Blocks:    

Description Jan Lieskovsky 2009-11-23 13:13:32 UTC 
Bogdan Calin reported a deficiency in the way PHP used to handle
form-based file uploads. A remote attacker could cause Apache web
server denial of service (httpd collapses and gets unresponsive)
by submitting a PHP file upload request encompassing enormous (15000+)
number of files. 

References:
-----------
[1] http://seclists.org/fulldisclosure/2009/Nov/228
[2] http://bugs.gentoo.org/show_bug.cgi?id=293888
Comment 2 Jan Lieskovsky 2009-11-23 13:19:27 UTC 
This issue affects the versions of the php package, as shipped with
Red Hat Enteprise Linux 3, 4, and 5.

This issue affects the versions of the php package, as shipped with
Fedora release of 10, 11, and 12.
Comment 8 Jan Lieskovsky 2009-11-24 08:20:19 UTC 
This is CVE-2009-4017:
----------------------

PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of
temporary files created when handling a multipart/form-data POST
request, which allows remote attackers to cause a denial of service
(resource exhaustion), and makes it easier for remote attackers to
exploit local file inclusion vulnerabilities, via multiple requests,
related to lack of support for the max_file_uploads directive.
Comment 9 Tomas Hoger 2009-11-24 16:14:41 UTC 
Upstream commits:
  http://svn.php.net/viewvc?view=revision&revision=289990
  http://svn.php.net/viewvc?view=revision&revision=290029
Comment 10 Tomas Hoger 2009-11-25 14:53:14 UTC 
This problem can be used as part of the DoS attack where PHP creates lots of temporary files to store content of the files being uploaded.  If attacker can generate enough concurrent POST requests with large number of uploaded files, large number of temporary files will slow up creations of additional temporary files resulting in increasing system load.

As noted in the original report, this can be avoided by disabling handling of file uploads if they are not needed using file_uploads option in php.ini.  file_uploads setting is on by default.

If file uploads are needed, reducing maximum POST body size can help mitigate this flaw.  That can be done via PHP's post_max_size configuration option (default of 8M) or httpd's LimitRequestBody directive (unlimited by default).  This should be used with care as the limit needs to be higher than what is needed for legitimate POSTs.  Attacker needs about 70 bytes in request per file, so even 1M post_max_size limit allows lot more than 10000 files per request.

Limiting number of connections / request per IP and other DoS protections can help here too.
Comment 11 Jan Lieskovsky 2009-11-25 15:56:18 UTC 
Public reproducer:

  http://www.paste-it.com/view/77958658

pointed out by Moritz Naumann on full-disclosure list:

  http://seclists.org/fulldisclosure/2009/Nov/262
Comment 15 Fedora Update System 2009-11-27 18:45:09 UTC 
php-pear-Mail-1.1.14-5.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/php-pear-Mail-1.1.14-5.fc12
Comment 16 Fedora Update System 2009-11-27 18:46:19 UTC 
php-pear-Mail-1.1.14-5.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/php-pear-Mail-1.1.14-5.fc11
Comment 17 Fedora Update System 2009-11-27 18:51:09 UTC 
php-pear-Mail-1.1.14-5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/php-pear-Mail-1.1.14-5.fc10
Comment 18 Mac 2009-12-16 14:59:58 UTC 
Will there be a fix for Red Hat Enteprise Linux 3, 4, and 5?
Comment 19 Tomas Hoger 2010-01-04 14:34:01 UTC 
(In reply to comment #18)
> Will there be a fix for Red Hat Enteprise Linux 3, 4, and 5?  

max_file_uploads is planned to be introduced in the upcoming PHP updates for all supported Red Hat Enterprise Linux versions.
Comment 20 errata-xmlrpc 2010-01-13 18:10:11 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 3

Via RHSA-2010:0040 https://rhn.redhat.com/errata/RHSA-2010-0040.html
Comment 21 Fedora Update System 2010-02-01 01:09:15 UTC 
php-5.2.12-1.fc11, maniadrive-1.2-17.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.