Phpinfo() Upload Max Filesize

By
Jijith Rajan
Published on
02 Jul 2018
1 min read
Vulnerability

The upload_max_file size is used to set the maximum size for a single upload to the server. This value can be changed in php.ini. Many servers have set upload_max_filesize to higher values, even if the application processes small files. The attacker can view the upload max filesize by executing the phpinfo() function. The attacker can easily exploit this problem and can execute Denial of Service or code injection attacks. The attacker will first try to upload large files to the server. The attacker executes this request from many computers. As many computers are uploading large files, the server will stop responding. Due to this issue, genuine users of the application won’t be able to use the service. This attack is called denial of service.

Example

The following is an example of upload_max_filesize.

        upload_max_filesize = 100M

    

Impact

The impact include:-

  • Denial of service attack: The attacker will upload large files from different client to hang the server. The genuine users won’t be able to use the service.
  • Code injection attacks: The attacker can upload malicious large files. When these files are executed, the files will get executed to perform malicious actions.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Set the upload_max_filesize to lower size.
        upload_max_filesize = 10M

    
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.