Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2009-4017

PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.

Security Impact Summary

CVE-2009-4017 is a security vulnerability that . Impacting 3 products from php, from apple, from debian organizations running these solutions should prioritize assessment and patching.

Historical Context

Originally identified in 2009, this vulnerability predates many modern security frameworks and practices. The vulnerability landscape of that era was characterized by different threat models and less mature defense mechanisms compared to contemporary standards.

Published

2009-11-24T00:30:00.500

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 5.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-770

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	php	php	< 5.2.12	Yes
Application	php	php	5.3.0	Yes
Application	php	php	5.3.0	Yes
Application	php	php	5.3.0	Yes
Application	php	php	5.3.0	Yes
Application	php	php	5.3.0	Yes
Application	php	php	5.3.0	Yes
Application	php	php	5.3.0	Yes
Application	php	php	5.3.0	Yes
Application	php	php	5.3.0	Yes
Operating System	apple	mac_os_x	10.6.3	Yes
Operating System	debian	debian_linux	4.0	Yes
Operating System	debian	debian_linux	5.0	Yes
Operating System	debian	debian_linux	6.0	Yes

References

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html Mailing List ([email protected])
http://marc.info/?l=bugtraq&m=127680701405735&w=2 Third Party Advisory ([email protected])
http://news.php.net/php.announce/79 Mailing List, Release Notes ([email protected])
http://seclists.org/fulldisclosure/2009/Nov/228 Mailing List, Third Party Advisory ([email protected])
http://secunia.com/advisories/37482 Broken Link ([email protected])
http://secunia.com/advisories/37821 Broken Link ([email protected])
http://secunia.com/advisories/40262 Broken Link ([email protected])
http://secunia.com/advisories/41480 Broken Link ([email protected])
http://secunia.com/advisories/41490 Broken Link ([email protected])
http://support.apple.com/kb/HT4077 Third Party Advisory ([email protected])
http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/ Third Party Advisory ([email protected])
http://www.debian.org/security/2009/dsa-1940 Mailing List, Third Party Advisory ([email protected])
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995 Broken Link ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303 Broken Link ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:305 Broken Link ([email protected])
http://www.openwall.com/lists/oss-security/2009/11/20/2 Mailing List, Patch ([email protected])
http://www.openwall.com/lists/oss-security/2009/11/20/7 Mailing List ([email protected])
http://www.php.net/ChangeLog-5.php Release Notes, Vendor Advisory ([email protected])
http://www.php.net/releases/5_2_12.php Release Notes ([email protected])
http://www.php.net/releases/5_3_1.php Release Notes, Vendor Advisory ([email protected])
http://www.securityfocus.com/archive/1/507982/100/0/threaded Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://www.vupen.com/english/advisories/2009/3593 Broken Link ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/54455 Third Party Advisory, VDB Entry ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10483 Broken Link ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6667 Broken Link ([email protected])
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=127680701405735&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://news.php.net/php.announce/79 Mailing List, Release Notes (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2009/Nov/228 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37482 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37821 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/40262 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/41480 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/41490 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT4077 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2009/dsa-1940 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:305 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2009/11/20/2 Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2009/11/20/7 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://www.php.net/ChangeLog-5.php Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.php.net/releases/5_2_12.php Release Notes (af854a3a-2127-422b-91ae-364da2661108)
http://www.php.net/releases/5_3_1.php Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/507982/100/0/threaded Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/3593 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/54455 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10483 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6667 Broken Link (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For php's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.