CVE DATABASE / CVE-2009-4017
CVE-2009-4017
CVSS 5 · MEDIUM
Summary
PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.
CVSS 2.0 breakdown
| Base score | 5 (MEDIUM) |
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Confidentiality | NONE |
| Integrity | NONE |
| Availability | PARTIAL |
Weakness type (CWE)
Affected products
Php phpApple mac os xDebian debian linux
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://marc.info/?l=bugtraq&m=127680701405735&w=2
- http://news.php.net/php.announce/79
- http://seclists.org/fulldisclosure/2009/Nov/228
- http://secunia.com/advisories/37482
- http://secunia.com/advisories/37821
- http://secunia.com/advisories/40262
- http://secunia.com/advisories/41480
- http://secunia.com/advisories/41490
- http://support.apple.com/kb/HT4077
- http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/
- http://www.debian.org/security/2009/dsa-1940
- http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:303
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:305
Data: NIST NVD. NVD last modified 2026-04-23. Always verify against the vendor advisory before acting.