Bug 540459 - (CVE-2009-4017) CVE-2009-4017 PHP: resource exhaustion attack via upload requests with lots of files
CVE-2009-4017 PHP: resource exhaustion attack via upload requests with lots o...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 541594 541595 541596 541597 541598 541971
  Show dependency treegraph
Reported: 2009-11-23 08:13 EST by Jan Lieskovsky
Modified: 2013-04-05 11:43 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-05 11:43:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-11-23 08:13:32 EST
Bogdan Calin reported a deficiency in the way PHP used to handle
form-based file uploads. A remote attacker could cause Apache web
server denial of service (httpd collapses and gets unresponsive)
by submitting a PHP file upload request encompassing enormous (15000+)
number of files. 

[1] http://seclists.org/fulldisclosure/2009/Nov/228
[2] http://bugs.gentoo.org/show_bug.cgi?id=293888
Comment 2 Jan Lieskovsky 2009-11-23 08:19:27 EST
This issue affects the versions of the php package, as shipped with
Red Hat Enteprise Linux 3, 4, and 5.

This issue affects the versions of the php package, as shipped with
Fedora release of 10, 11, and 12.
Comment 8 Jan Lieskovsky 2009-11-24 03:20:19 EST
This is CVE-2009-4017:

PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of
temporary files created when handling a multipart/form-data POST
request, which allows remote attackers to cause a denial of service
(resource exhaustion), and makes it easier for remote attackers to
exploit local file inclusion vulnerabilities, via multiple requests,
related to lack of support for the max_file_uploads directive.
Comment 10 Tomas Hoger 2009-11-25 09:53:14 EST
This problem can be used as part of the DoS attack where PHP creates lots of temporary files to store content of the files being uploaded.  If attacker can generate enough concurrent POST requests with large number of uploaded files, large number of temporary files will slow up creations of additional temporary files resulting in increasing system load.

As noted in the original report, this can be avoided by disabling handling of file uploads if they are not needed using file_uploads option in php.ini.  file_uploads setting is on by default.

If file uploads are needed, reducing maximum POST body size can help mitigate this flaw.  That can be done via PHP's post_max_size configuration option (default of 8M) or httpd's LimitRequestBody directive (unlimited by default).  This should be used with care as the limit needs to be higher than what is needed for legitimate POSTs.  Attacker needs about 70 bytes in request per file, so even 1M post_max_size limit allows lot more than 10000 files per request.

Limiting number of connections / request per IP and other DoS protections can help here too.
Comment 11 Jan Lieskovsky 2009-11-25 10:56:18 EST
Public reproducer:


pointed out by Moritz Naumann on full-disclosure list:

Comment 15 Fedora Update System 2009-11-27 13:45:09 EST
php-pear-Mail-1.1.14-5.fc12 has been submitted as an update for Fedora 12.
Comment 16 Fedora Update System 2009-11-27 13:46:19 EST
php-pear-Mail-1.1.14-5.fc11 has been submitted as an update for Fedora 11.
Comment 17 Fedora Update System 2009-11-27 13:51:09 EST
php-pear-Mail-1.1.14-5.fc10 has been submitted as an update for Fedora 10.
Comment 18 Mac 2009-12-16 09:59:58 EST
Will there be a fix for Red Hat Enteprise Linux 3, 4, and 5?
Comment 19 Tomas Hoger 2010-01-04 09:34:01 EST
(In reply to comment #18)
> Will there be a fix for Red Hat Enteprise Linux 3, 4, and 5?  

max_file_uploads is planned to be introduced in the upcoming PHP updates for all supported Red Hat Enterprise Linux versions.
Comment 20 errata-xmlrpc 2010-01-13 13:10:11 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 3

Via RHSA-2010:0040 https://rhn.redhat.com/errata/RHSA-2010-0040.html
Comment 21 Fedora Update System 2010-01-31 20:09:15 EST
php-5.2.12-1.fc11, maniadrive-1.2-17.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.