php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75889 Overloading disk with temporary files
Submitted: 2018-01-30 16:08 UTC Modified: 2018-02-01 07:41 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: c dot r dot l dot f at yandex dot ru Assigned:
Status: Open Package: FPM related
PHP Version: 7.1.13 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-01-30 16:08 UTC] c dot r dot l dot f at yandex dot ru
Description:
------------
Hello.

While conducting some tests, I noticed one feature, because of which the interpreter does not delete uploaded temporary files.

Using a simple script, you can send an unlimited number of files, which can be used to further attack on local applications (ex. LFI/RFI) or to exhaustion of disk space, which can result in denial of service.

Tested on:

PHP/7.1.12 + nginx/1.13.7 (TCP)
PHP 5.6.32 + nginx/1.10.3 (SOCK)
PHP 5.6.30 + nginx/1.1.19 (SOCK)
PHP 5.4.45 + nginx/1.2.1 (SOCK)
PHP 5.4.39 + nginx/1.2.1 (SOCK)

Maybe, other OS also affected, but I didn't test :(

Test script:
---------------
https://alt3r.eg0.ru/p0c5/12a636fcab5953233706dadacfff3ba8.txt


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-01 00:15 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2018-02-01 00:15 UTC] stas@php.net
Not sure what the security issue is here - if you allow uploads, people can upload. Does this happen when uploads are disabled or something like that?
 [2018-02-01 01:01 UTC] c dot r dot l dot f at yandex dot ru
-Status: Feedback +Status: Open
 [2018-02-01 01:01 UTC] c dot r dot l dot f at yandex dot ru
The problem is that PHP does not delete created temporary files (rfc1867) after connection is closed.

In the provided scenario, NGINX closes the connection before PHP writes something in it. Judging by the logs of strace, PHP gets SIGPIPE and for some reasons does not clear temporary files.

Thus, the attacker can upload temporary files while disk space is available. Only reboot or manual deleting this files will help.
 [2018-02-01 01:36 UTC] stas@php.net
Isn't that always the case when uploads are allowed - you can upload files until out of disk space, absent other limitations like quotas, etc.?
 [2018-02-01 02:06 UTC] c dot r dot l dot f at yandex dot ru
In default installations files uploads is always on, so any host that satisfies the dependencies (PHP+NGINX) can be attacked.

Please look video PoC:

https://alt3r.eg0.ru/p0c5/12a636fcab5953233706dadacfff3ba8.avi
 [2018-02-01 02:13 UTC] stas@php.net
So do I understand correctly the problem does not exist when file uploads are disabled?
 [2018-02-01 02:21 UTC] c dot r dot l dot f at yandex dot ru
Yep, I just checked it, it's not reproducible when file_uploads = Off.
 [2018-02-01 07:41 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Nov 16 23:01:41 2019 UTC