|
Brought to you by:
Suppliers of:
|
|
|
| |
| PHP version 5.3.1 was just released. This release contains a patch for a denial of service condition we've reported on 27 October 2009. The problem is that you can include a very large number of files in the request. PHP will need to create those files before the script is executed and delete them afterwards. |
| |
Credit:
The information has been provided by Bogdan Calin.
|
| |
Vulnerable Systems:
* PHP version 5.3.0 and prior
Immune Systems:
* PHP version 5.3.1
This release contains a patch for a denial of service condition we've reported on 27 October 2009. The problem is related with PHP's handling of RFC 1867 (Form-based File Upload in HTML).
When you send a POST request to a PHP script with the content-type of "multipart/form-data" and include a list of files in that request, PHP will create a temporary file for each file from the request. PHP will create those files regardless if the script can handle file uploading or not. After the script was executed, the temporary files will be deleted.
The denial of service condition appears when you create a bunch of requests, each containing a large number (15000+) of files. When you send these requests to the web server, the web server collapses and stops responding because it has to process (create & delete) an insane number of files in a very short period of time.
Any website that runs PHP and where file uploading is enabled (which is the default configuration) is vulnerable. You don't need to have a file upload script.
PHP does include 2 configuration settings that are related to this situation: upload_max_filesize and post_max_size. However, these are not enough to protect us against this denial of service attack.
Workaround
Currently, I'm aware of three workarounds for this problem:
1. Disable file uploads If you don't need file uploading. You can disable this feature from php.ini. file_uploads = Off
2. Install PHP 5.3.1 If you cannot disable file uploading on your website, it's recommended to install the latest version of PHP. PHP 5.3.1 includes a patch for this problem: - Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
3. Install Suhosin PHP extension The Suhosin PHP extension has an option named "suhosin.upload.max_uploads". This option defines the maximum number of files that may be uploaded with one request and by default is set to 25. Suhosin PHP extension should not be confused with the Suhosin Patch which does not protect against this attack.
Quote from the hardened-php website: "Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections."
It's recommended to apply one of the workarounds described above as soon as possible. Below are some conclusions I've gathered from testing this on different systems.
This attack can make the web server unresponsive in a short period of time (under 2 minutes) with a very small number of requests. Also, this attack doesn't leave any obvious tracks in the logs (only a bunch of POST requests) and can be executed through a proxy server. Some operating systems will handle this condition very badly.
For example in one case (a FreeBSD 7.1), the network stack completely crashed and the server was unreachable from the local network. I had to manually restart it from the console.
On Linux (Ubuntu), the web server will not be reachable for hours after being attacked for 1-2 minutes.
-------------------------------------------------------------------------------------------------------------------------------
This vulnerability and over 10,000 others are identified and reported by AVDS, the most technically sophisticated network vulnerability assessment and management system available.
*
|
|
|
|
|
