Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-4017Allocation of Resources Without Limits or Throttling in PHP

CWE-770Allocation of Resources Without Limits or Throttling7 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
1.9%
top 16.60%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
PHPApple MAC OS XDebian Linux
Timeline
PublishedNov 24
Latest updateMay 2

Description

PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

NVDphp/php< 5.2.12+1
NVDapple/mac_os_x10.6.3

Also affects: Debian Linux 4.0, 5.0, 6.0

Patches

Patch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

1
GHSA
GHSA-79rp-c2fh-g5j7: PHP before 52022-05-02

💥Exploits & PoCs

1
Exploit-DB
PHP < 5.3.1 - 'MultiPart/form-data' Denial of Service2009-11-27

📋Vendor Advisories

2
Ubuntu
PHP vulnerabilities2009-11-26
Red Hat
PHP: resource exhaustion attack via upload requests with lots of files2009-11-20

📐Framework References

1
CWE
Allocation of Resources Without Limits or Throttling

💬Community

1
Bugzilla
CVE-2009-4017 PHP: resource exhaustion attack via upload requests with lots of files2009-11-23
CVE-2009-4017 — PHP vulnerability | cvebase