Description
When you send a POST request to a PHP script with the content-type of multipart/form-data and include a list of files in that request, PHP will create a temporary file for each file from the request. PHP will create those files regardless if the script can handle file uploading or not. After the script was executed, the temporary files will be deleted. The problem is that you can include a very large number of files in the request. PHP will need to create those files before the script is executed and delete them afterwards.
The denial of service condition appears when you create a bunch of requests, each containing a large number (15000+) of files. When you send these requests to the web server, the web server collapses and stops responding because it has to process (create & delete) an insane number of files in a very short period of time. Any website that runs PHP and where file uploading is enabled (which is the default configuration) is vulnerable. You don't need to have a file upload script.
Affected PHP versions (up to 5.3.0).
Remediation
Workarounds:
1. Disable file uploads
If you don't need file uploading, you can disable this feature from php.ini
file_uploads = Off
2. Install PHP 5.3.1
If you cannot disable file uploading on your website, it's recommended to install the latest version of PHP. PHP 5.3.1 includes a patch for this problem:
- Added max_file_uploads INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
3. Install Suhosin PHP extension
The Suhosin PHP extension has an option named suhosin.upload.max_uploads. This option defines the maximum number of files that may be uploaded with one request and by default is set to 25. Suhosin PHP extension should not be confused with the Suhosin Patch which does not protect against this attack.