[ic] Multipart Form Data Denial of Service

Stefan Hornburg (Racke) racke at linuxia.de
Thu Nov 26 08:04:08 UTC 2009


Hello Interchange enthusiasts,

This morning I upgraded PHP5 packages on Debian machines. While reading the security
advisory I wondered whether Interchange or other web applications are affected
by this DOS type:

--snip--
Bogdan Calin discovered that a remote attacker could cause a denial of service by uploading a large number of files in using multipart/ form-data requests,
causing the creation of a large number of temporary files.

To address this issue, the max_file_uploads option introduced in PHP 5.3.1 has been backported. This option limits the maximum number of files uploaded per request.
--snap--

More information:
http://seclists.org/fulldisclosure/2009/Nov/228

Regards
         Racke

-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team




More information about the interchange-users mailing list