5

CVE-2009-4017

PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.

Data is provided by the National Vulnerability Database (NVD)
PhpPhp Version < 5.2.12
PhpPhp Version5.3.0 Update-
PhpPhp Version5.3.0 Updatealpha1
PhpPhp Version5.3.0 Updatealpha2
PhpPhp Version5.3.0 Updatealpha3
PhpPhp Version5.3.0 Updatebeta1
PhpPhp Version5.3.0 Updaterc1
PhpPhp Version5.3.0 Updaterc2
PhpPhp Version5.3.0 Updaterc3
PhpPhp Version5.3.0 Updaterc4
ApplemacOS X Version10.6.3
DebianDebian Linux Version4.0
DebianDebian Linux Version5.0
DebianDebian Linux Version6.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.3% 0.791
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

http://www.php.net/ChangeLog-5.php
Vendor Advisory
Release Notes
http://www.debian.org/security/2009/dsa-1940
Third Party Advisory
Mailing List
http://news.php.net/php.announce/79
Mailing List
Release Notes
http://www.php.net/releases/5_3_1.php
Vendor Advisory
Release Notes
http://seclists.org/fulldisclosure/2009/Nov/228
Third Party Advisory
Mailing List
http://www.securityfocus.com/archive/1/507982/100/0/threaded
Third Party Advisory
Broken Link
VDB Entry