PHP 'getimagesize () 'Remote Denial of Service Vulnerability

Release date:
Updated on:

Affected Systems:
PHP 5.3.x
PHP 5.2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53289

PHP is an embedded HTML language. PHP is similar to Microsoft's ASP. It is a script language that is executed on the server side and embedded in HTML documents, the language style is similar to the C language and is widely used by many website programmers.

A security vulnerability exists in the implementation of the Getimagesize function in versions earlier than PHP 5.4.1. This function does not verify whether the remote file to be downloaded is an image or whether the size is too large, which forces the PHP engine to download huge files, this results in the depletion of available resources and the denial of service to legal users.

<* Source: Manuel Fern & #195; & #161; ndez

Link: http://seclists.org/fulldisclosure/2012/Apr/375
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PHP
---
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.php.net