The post_max_size is a setting that can be viewed through the phpinfo() method. The post-max-size is used to set the maximum size for a single upload to the server. This value can be changed in php.ini. There are many servers that have set post-max-size to higher values, even if the application needs less upload space. The attacker can easily exploit this problem by flooding the server with extremely large post requests. As there are heavy processes running in the server, it won’t be able to respond to client’s requests. This type of attack is called denial of service attacks.
If an application requires large files to serve the client, the application must check the file type and the contents for a potential malicious attack. This setting’s misconfiguration can have an advense effect on the application.
Example
The following code is the example
post_max_size=200M
Impact
Using this vulnerability, an attacker:-
- stop the server responses through denial of service attacks.
- perform code injection attacks.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Set post-max-filesize to low.
post_max_size=5M /*change according to your application's need*/
