Platform
php
Component
php
Opgelost in
7.2.31
7.3.18
7.4.6
CVE-2019-11048 is a vulnerability affecting PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18, and 7.4.x below 7.4.6. When HTTP file uploads are enabled, attackers can exploit this flaw by providing excessively long filenames or field names. This can trigger the PHP engine to attempt allocating oversized memory storage, potentially leading to a denial of service due to disk exhaustion from uncleaned temporary files.
The primary impact of CVE-2019-11048 is denial of service (DoS). An attacker can repeatedly upload files with manipulated filenames, causing the PHP engine to allocate excessive memory and create numerous temporary files. If the server's disk space is limited, this accumulation can exhaust the available storage, rendering the web server unresponsive. This can disrupt legitimate user access and potentially impact other services running on the same server. While not directly leading to data exfiltration, the DoS condition can be used as a distraction for other malicious activities. The vulnerability's reliance on HTTP file uploads means applications that heavily utilize this functionality are particularly vulnerable.
CVE-2019-11048 was publicly disclosed on May 20, 2020. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. While a public proof-of-concept may exist, it is not widely known or actively utilized. The vulnerability's impact is primarily a denial of service, which may make it less attractive to attackers compared to vulnerabilities that allow for data breaches or remote code execution.
Web applications that rely on HTTP file uploads are at the highest risk. This includes content management systems (CMS) with file upload features, e-commerce platforms allowing user-uploaded images, and any application that accepts file uploads from external sources. Shared hosting environments are particularly vulnerable as they often have limited disk space and may not be promptly updated with security patches.
• linux / server:
find /tmp -type f -mtime +1 -print -delete # Remove old temporary files• generic web:
grep -i 'upload_max_filesize' /etc/php/7.4/apache2/php.ini # Check PHP configuration• linux / server:
journalctl -u php7.4-fpm -g 'memory allocation' # Monitor PHP-FPM logs for memory-related errorsdisclosure
Exploit Status
EPSS
12.72% (94% percentiel)
CVSS-vector
The primary mitigation for CVE-2019-11048 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.6 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds. These may include strict filename validation on the server-side to limit the maximum length of uploaded filenames and field names. Additionally, configure the uploadmaxfilesize directive in php.ini to a reasonable value to prevent excessively large uploads. Regularly monitor disk space usage on the server to detect potential exhaustion and proactively address the issue. Consider implementing a WAF rule to block requests with unusually long filenames.
Actualice a la versión 7.2.31, 7.3.18 o 7.4.6 de PHP, o a una versión posterior, según corresponda a su rama de PHP. Esto solucionará la vulnerabilidad que permite el agotamiento del espacio en disco debido a la acumulación de archivos temporales no eliminados.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2019-11048 is a vulnerability in PHP versions 7.2.x, 7.3.x, and 7.4.x where overly long filenames in HTTP file uploads can lead to disk exhaustion due to temporary file accumulation.
You are affected if you are running PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18, or 7.4.x below 7.4.6 and have HTTP file uploads enabled.
Upgrade to PHP 7.4.6 or later. As a temporary workaround, implement strict filename validation and limit uploadmaxfilesize.
There is no current evidence of active exploitation campaigns targeting CVE-2019-11048.
Refer to the PHP security advisory: https://security.php.net/CVE-2019-11048
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.