FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2009-4017

This CVE name corresponds to:

Entered Topic
2009-12-17 php -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2009-4017
Phase Assigned(20091120)

Description

PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.

References

Source Reference
BUGTRAQ 20091120 PHP "multipart/form-data" denial of service
FULLDISC 20091120 PHP "multipart/form-data" denial of service
MLIST [oss-security] 20091120 CVE request: php 5.3.1 update
MLIST [oss-security] 20091120 Re: CVE request: php 5.3.1 update
MLIST [php-announce] 20091119 5.3.1 Release announcement
MISC http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/
CONFIRM http://www.php.net/ChangeLog-5.php
CONFIRM http://www.php.net/releases/5_3_1.php
CONFIRM http://www.php.net/releases/5_2_12.php
CONFIRM http://support.apple.com/kb/HT4077
APPLE APPLE-SA-2010-03-29-1
DEBIAN DSA-1940
HP HPSBUX02543
HP SSRT100152
HP HPSBMA02568
HP SSRT100219
MANDRIVA MDVSA-2009:303
MANDRIVA MDVSA-2009:305
OVAL oval:org.mitre.oval:def:10483
OVAL oval:org.mitre.oval:def:6667
SECUNIA 37482
SECUNIA 37821
SECUNIA 40262
SECUNIA 41480
SECUNIA 41490
VUPEN ADV-2009-3593
XF php-multipart-formdata-dos(54455)