FYI if you are running PHP < 5.3.1

**thobarn** · 11-22-2009 04:49 AM

if you allow file uploads this bugtraq posting may be of interest to you. I confirmed the DOS condition on one of my servers. Although the author does not provide a POC, not much imagination required to build a LFI from the description, though I did not test this.

**Spiral** · 11-22-2009 10:40 AM

Thanks for that post, much appreciated. However, the flipside of the coin ...

If you are running PHP > 5.3 then you might want to see this:

PHP Multiple Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com

**m0rgulvale** · 12-05-2009 08:09 PM

does cpanel have a patch for the 5.2.11 vuln

**radeonpower** · 12-06-2009 07:29 PM

From what I've heard the PHP team will release 5.2.12 on thursday which fixes this problem.

**m0rgulvale** · 12-06-2009 08:05 PM

thx for reply

question:

does this mitigate flaw:

SecurityFocus

3. Install Suhosin PHP extension
The Suhosin PHP extension has an option named "suhosin.upload.max_uploads".
This option defines the maximum number of files that may be uploaded
with one request and by default is set to 25.
Suhosin PHP extension should not be confused with the Suhosin Patch
which does not protect against this attack.

edit php.ini to contain suhosin.upload.max_uploads = 25 ?

LinkBack

Thread Tools

FYI if you are running PHP < 5.3.1

php.ini per dir with php running as cgi

FYI - Hotmail Blacklisted

FYI: Monsoon Users

FYI PHP sending HTML emails

FYI - Latest version of PHP (4.3.x) breaks phpNuke. Here's a fix