go to bug id or search bugs for
While conducting some tests, I noticed one feature, because of which the interpreter does not delete uploaded temporary files.
Using a simple script, you can send an unlimited number of files, which can be used to further attack on local applications (ex. LFI/RFI) or to exhaustion of disk space, which can result in denial of service.
PHP/7.1.12 + nginx/1.13.7 (TCP)
PHP 5.6.32 + nginx/1.10.3 (SOCK)
PHP 5.6.30 + nginx/1.1.19 (SOCK)
PHP 5.4.45 + nginx/1.2.1 (SOCK)
PHP 5.4.39 + nginx/1.2.1 (SOCK)
Maybe, other OS also affected, but I didn't test :(
Add a Patch
Add a Pull Request
Not sure what the security issue is here - if you allow uploads, people can upload. Does this happen when uploads are disabled or something like that?
The problem is that PHP does not delete created temporary files (rfc1867) after connection is closed.
In the provided scenario, NGINX closes the connection before PHP writes something in it. Judging by the logs of strace, PHP gets SIGPIPE and for some reasons does not clear temporary files.
Thus, the attacker can upload temporary files while disk space is available. Only reboot or manual deleting this files will help.
Isn't that always the case when uploads are allowed - you can upload files until out of disk space, absent other limitations like quotas, etc.?
In default installations files uploads is always on, so any host that satisfies the dependencies (PHP+NGINX) can be attacked.
Please look video PoC:
So do I understand correctly the problem does not exist when file uploads are disabled?
Yep, I just checked it, it's not reproducible when file_uploads = Off.