PHP up to 7.2.30/7.3.17/7.4.5 HTTP File Upload Filename integer overflow

Summaryinfo

A vulnerability has been found in PHP up to 7.2.30/7.3.17/7.4.5 and classified as problematic. The impacted element is an unknown function of the component HTTP File Upload. The manipulation as part of Filename leads to integer overflow. This vulnerability is traded as CVE-2019-11048. It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in PHP up to 7.2.30/7.3.17/7.4.5 (Programming Language Software). This issue affects an unknown part of the component HTTP File Upload. The manipulation as part of a Filename leads to a integer overflow vulnerability. Using CWE to declare the problem leads to CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. Impacted is availability. The summary by CVE is:

In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.

The weakness was shared 05/20/2020. The identification of this vulnerability is CVE-2019-11048 since 04/09/2019. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 7.2.31, 7.3.18 or 7.4.6 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Programming Language Software

Name

• PHP

Version

• 7.2.0
• 7.2.1
• 7.2.2
• 7.2.3
• 7.2.4
• 7.2.5
• 7.2.6
• 7.2.7
• 7.2.8
• 7.2.9
• 7.2.10
• 7.2.11
• 7.2.12
• 7.2.13
• 7.2.14
• 7.2.15
• 7.2.16
• 7.2.17
• 7.2.18
• 7.2.19
• 7.2.20
• 7.2.21
• 7.2.22
• 7.2.23
• 7.2.24
• 7.2.25
• 7.2.26
• 7.2.27
• 7.2.28
• 7.2.29
• 7.2.30
• 7.3.0
• 7.3.1
• 7.3.2
• 7.3.3
• 7.3.4
• 7.3.5
• 7.3.6
• 7.3.7
• 7.3.8
• 7.3.9
• 7.3.10
• 7.3.11
• 7.3.12
• 7.3.13
• 7.3.14
• 7.3.15
• 7.3.16
• 7.3.17
• 7.4.0
• 7.4.1
• 7.4.2
• 7.4.3
• 7.4.4
• 7.4.5

License

• open-source

Website

• Product: https://www.php.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion