PHP multipart/form-data denial of service

Description
  • <div class="bb-coolbox"><span class="bb-dark">This alert was generated using only banner information. It may be a false positive. </span></div><br/>When you send a POST request to a PHP script with the content-type of <strong>multipart/form-data</strong> and include a list of files in that request, PHP will create a temporary file for each file from the request. PHP will create those files regardless if the script can handle file uploading or not. After the script was executed, the temporary files will be deleted. The problem is that you can include a very large number of files in the request. PHP will need to create those files before the script is executed and delete them afterwards. <br/><br/> The denial of service condition appears when you create a bunch of requests, each containing a large number (15000+) of files. When you send these requests to the web server, the web server collapses and stops responding because it has to process (create & delete) an insane number of files in a very short period of time. Any website that runs PHP and where file uploading is enabled (which is the default configuration) is vulnerable. You don't need to have a file upload script.<br/><br/><span class="bb-navy">Affected PHP versions (up to 5.3.0).</span><br/>
Remediation
  • Workarounds: <br/> <strong>1. Disable file uploads</strong><br/> If you don't need file uploading, you can disable this feature from php.ini<br/> file_uploads = Off<br/> <strong>2. Install PHP 5.3.1</strong><br/> If you cannot disable file uploading on your website, it's recommended to install the latest version of PHP. PHP 5.3.1 includes a patch for this problem:<br/> - Added <strong>max_file_uploads</strong> INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.<br/> <strong>3. Install Suhosin PHP extension</strong><br/> The Suhosin PHP extension has an option named <strong>suhosin.upload.max_uploads</strong>. This option defines the maximum number of files that may be uploaded with one request and by default is set to 25. Suhosin PHP extension should not be confused with the Suhosin Patch which does not protect against this attack.<br/>
References