NULL pointer dereference in PHP session upload progress

Publication Date2020-02-04
SeverityModerate
TypeDenial of Service
Affected PHP Versions
  • 5.6.0 - 5.6.40
  • 7.0.0 - 7.0.33
  • 7.1.0 - 7.1.33
  • 7.2.0 - 7.2.27
  • 7.3.0 - 7.3.14
  • 7.4.0 - 7.4.2
Fixed Product Versions
  • ZendPHP 5.6
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendServer 2019.0.4

CVE Details

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled) and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter a null pointer dereference, which would likely lead to a crash.

Recommendations

Set the session.upload_progress.cleanup INI value to 1 (enabled).

When possible, upgrade to 7.2.28 or above, 7.3.15 or above, or 7.4.3 or above.