CVE-2023-0662
DOS vulnerability when parsing multipart request body
Publication Date | 2023-02-14 |
---|---|
Severity | Critical |
Type | Cross-Site Request Forgery |
Affected PHP Versions |
|
Fixed Product Versions |
|
CVE Details
When parsing a multipart request body, depending on the number of parts and total size of the request body, PHP may fill all memory and/or available disk space, leading to a DoS vector. This vulnerability affects the mod_php and php-fpm SAPIs across all PHP versions.
Recommendations
We strongly recommend upgrading to a known patched version of PHP immediately.
If you cannot, you can mitigate this attack in a couple of ways:
- Reduce the configured
memory_limit
in yourphp.ini
to a safe level. The default is 128M; consider a lower value that suits your application needs. - Reduce the maximum size of POST requests (or any request receiving a message content body) via the
post_max_size
value in thephp.ini
. The default is8M
; consider lowering this. - Reduce the maximum file upload size, via the
upload_max_filesize
setting in thephp.ini
. By default, this is 2M. (Please be aware that thepost_max_size
value MUST be larger than this value.)
Additionally, both Apache HTTPD and nginx have configuration settings for rejecting requests that are larger than a configured size (for Apache HTTPD, this is the SecRequestBodyLimit
setting via mod_security; for nginx, create a condition based on the $request_length
variable).