oss-sec mailing list archives
Re: CVE request: php 5.3.1 update
From: Eren Türkay <eren () pardus org tr>
Date: Fri, 20 Nov 2009 19:46:14 +0200
On Friday 20 November 2009 12:41:50 pm Thomas Biege wrote:
* Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
Bogdan Calin disclosed the details about that vulnerability on full-disclosure mailing list. He didn't disclosed his script but I wrote a PoC that works like a charm. It makes DoS possible for any server that runs PHP within 1 minute with a few requests. Additionally, this vulnerability affects 5.2.11. I guess all products before PHP 5.3.1 are vulnerable. I think this deserves CVE Id. Any ideas?
Current thread:
- CVE request: php 5.3.1 update Thomas Biege (Nov 20)
- Re: CVE request: php 5.3.1 update Joe Orton (Nov 20)
- Re: CVE request: php 5.3.1 update Tomas Hoger (Nov 20)
- Re: CVE request: php 5.3.1 update Eren Türkay (Nov 20)
- Re: CVE request: php 5.3.1 update security curmudgeon (Nov 21)
- Re: CVE request: php 5.3.1 update Joe Orton (Nov 20)