Phpinfo() Upload Max Filesize

OWASP 2013-A6 OWASP 2017-A3 CAPEC-346 CWE-213 ISO27001-A.18.1.3 WASC-13

The upload_max_file size is used to set the maximum size for a single upload to the server. This value can be changed in php.ini. Many servers have set upload_max_filesize to higher values, even if the application processes small files. The attacker can view the upload max filesize by executing the phpinfo() function. The attacker can easily exploit this problem and can execute Denial of Service or code injection attacks. The attacker will first try to upload large files to the server. The attacker executes this request from many computers. As many computers are uploading large files, the server will stop responding. Due to this issue, genuine users of the application won’t be able to use the service. This attack is called denial of service.

Example

The following is an example of upload_max_filesize.

        upload_max_filesize = 100M

    

Impact

The impact include:-

  • Denial of service attack: The attacker will upload large files from different client to hang the server. The genuine users won’t be able to use the service.
  • Code injection attacks: The attacker can upload malicious large files. When these files are executed, the files will get executed to perform malicious actions.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Set the upload_max_filesize to lower size.
        upload_max_filesize = 10M

    

Latest Articles