November 24, 2009

Denial of Service in PHP

It was about time, that the PHP team finally included a max_file_uploads directive to limit the number of file upload per request (default is of 20). (cf. Until PHP 5.3.1, it was possible to send an X number of file upload request thus creating an X amount of temporary file on the targeted system.. which would cause the web server to crash and the system to overload. PHP-suhosin has already a max upload option “suhosin. ... Read more