php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75889 Overloading disk with temporary files
Submitted: 2018-01-30 16:08 UTC Modified: 2018-02-01 07:41 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: c dot r dot l dot f at yandex dot ru Assigned:
Status: Open Package: FPM related
PHP Version: 7.1.13 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: c dot r dot l dot f at yandex dot ru
New email:
PHP Version: OS:

 

 [2018-01-30 16:08 UTC] c dot r dot l dot f at yandex dot ru 
Description:
------------
Hello.

While conducting some tests, I noticed one feature, because of which the interpreter does not delete uploaded temporary files.

Using a simple script, you can send an unlimited number of files, which can be used to further attack on local applications (ex. LFI/RFI) or to exhaustion of disk space, which can result in denial of service.

Tested on:

PHP/7.1.12 + nginx/1.13.7 (TCP)
PHP 5.6.32 + nginx/1.10.3 (SOCK)
PHP 5.6.30 + nginx/1.1.19 (SOCK)
PHP 5.4.45 + nginx/1.2.1 (SOCK)
PHP 5.4.39 + nginx/1.2.1 (SOCK)

Maybe, other OS also affected, but I didn't test :(

Test script:
---------------
https://alt3r.eg0.ru/p0c5/12a636fcab5953233706dadacfff3ba8.txt

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-01 00:15 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2018-02-01 00:15 UTC] stas@php.net 
Not sure what the security issue is here - if you allow uploads, people can upload. Does this happen when uploads are disabled or something like that?
 [2018-02-01 01:01 UTC] c dot r dot l dot f at yandex dot ru
-Status: Feedback +Status: Open
 [2018-02-01 01:01 UTC] c dot r dot l dot f at yandex dot ru 
The problem is that PHP does not delete created temporary files (rfc1867) after connection is closed.

In the provided scenario, NGINX closes the connection before PHP writes something in it. Judging by the logs of strace, PHP gets SIGPIPE and for some reasons does not clear temporary files.

Thus, the attacker can upload temporary files while disk space is available. Only reboot or manual deleting this files will help.
 [2018-02-01 01:36 UTC] stas@php.net 
Isn't that always the case when uploads are allowed - you can upload files until out of disk space, absent other limitations like quotas, etc.?
 [2018-02-01 02:06 UTC] c dot r dot l dot f at yandex dot ru 
In default installations files uploads is always on, so any host that satisfies the dependencies (PHP+NGINX) can be attacked.

Please look video PoC:

https://alt3r.eg0.ru/p0c5/12a636fcab5953233706dadacfff3ba8.avi
 [2018-02-01 02:13 UTC] stas@php.net 
So do I understand correctly the problem does not exist when file uploads are disabled?
 [2018-02-01 02:21 UTC] c dot r dot l dot f at yandex dot ru 
Yep, I just checked it, it's not reproducible when file_uploads = Off.
 [2018-02-01 07:41 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved. 		Last updated: Fri Jan 17 12:01:23 2020 UTC