Vulnerability Details : CVE-2009-4017
PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.
Vulnerability category: File inclusionDenial of service
Threat overview for CVE-2009-4017
Top countries where our scanners detected CVE-2009-4017
Top open port discovered on systems with this issue
80
IPs affected by CVE-2009-4017 1,784
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2009-4017!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2009-4017
Probability of exploitation activity in the next 30 days: 5.39%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-4017
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2009-4017
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-4017
-
http://secunia.com/advisories/41490
Sign inBroken Link
-
http://news.php.net/php.announce/79
php.announce: 5.3.1 Release announcementMailing List;Release Notes
-
http://marc.info/?l=bugtraq&m=127680701405735&w=2
'[security bulletin] HPSBUX02543 SSRT100152 rev.1 - HP-UX Running Apache with PHP, Remote Denial of S' - MARCThird Party Advisory
-
http://www.php.net/releases/5_3_1.php
PHP: PHP 5.3.1 Release AnnouncementRelease Notes;Vendor Advisory
-
http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/
PHP "multipart/form-data" denial of service | AcunetixThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2009/11/20/7
oss-security - Re: CVE request: php 5.3.1 updateMailing List
-
http://www.vupen.com/english/advisories/2009/3593
Webmail: access your OVH emails on ovhcloud.com | OVHcloudBroken Link
-
http://www.openwall.com/lists/oss-security/2009/11/20/2
oss-security - CVE request: php 5.3.1 updateMailing List;Patch
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10483
404 Not FoundBroken Link
-
http://secunia.com/advisories/40262
About Secunia Research | FlexeraBroken Link
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:305
MandrivaBroken Link
-
http://secunia.com/advisories/37482
About Secunia Research | FlexeraBroken Link
-
http://www.securityfocus.com/archive/1/507982/100/0/threaded
Broken Link;Third Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2009/Nov/228
Full Disclosure: PHP "multipart/form-data" denial of serviceMailing List;Third Party Advisory
-
http://support.apple.com/kb/HT4077
About the security content of Security Update 2010-002 / Mac OS X v10.6.3 - Apple SupportThird Party Advisory
-
http://secunia.com/advisories/37821
About Secunia Research | FlexeraBroken Link
-
http://www.debian.org/security/2009/dsa-1940
[SECURITY] [DSA-1940-1] New php5 packages fix several issuesMailing List;Third Party Advisory
-
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
Broken Link
-
http://secunia.com/advisories/41480
Sign inBroken Link
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/54455
PHP multipart/form-data POST request denial of service CVE-2009-4017 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.php.net/ChangeLog-5.php
PHP: PHP 5 ChangeLogRelease Notes;Vendor Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303
MandrivaBroken Link
-
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Apple - Lists.apple.comMailing List
-
http://www.php.net/releases/5_2_12.php
PHP: PHP 5.2.12 Release AnnouncementRelease Notes
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6667
404 Not FoundBroken Link
Products affected by CVE-2009-4017
- cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:-:*:*:*:*:*:*