PHP post_max_size show phpinfo()

OWASP 2013-A6 OWASP 2017-A3 CAPEC-346 CWE-213 HIPAA-829 ISO27001-A.18.1.3 WASC-13

The post_max_size is a setting that can be viewed through the phpinfo() method. The post-max-size is used to set the maximum size for a single upload to the server. This value can be changed in php.ini. There are many servers that have set post-max-size to higher values, even if the application needs less upload space. The attacker can easily exploit this problem by flooding the server with extremely large post requests. As there are heavy processes running in the server, it won’t be able to respond to client’s requests. This type of attack is called denial of service attacks.

If an application requires large files to serve the client, the application must check the file type and the contents for a potential malicious attack. This setting’s misconfiguration can have an advense effect on the application.

Example

The following code is the example

        post_max_size=200M

    

Impact

Using this vulnerability, an attacker:-

  • stop the server responses through denial of service attacks.
  • perform code injection attacks.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Set post-max-filesize to low.
        post_max_size=5M /*change according to your application's need*/

    

Latest Articles