php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75889 Overloading disk with temporary files
Submitted: 2018-01-30 16:08 UTC Modified: 2023-02-03 14:14 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: c dot r dot l dot f at yandex dot ru Assigned: bukka (profile)
Status: Closed Package: FPM related
PHP Version: 7.1.13 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
27 - 10 = ?
Subscribe to this entry?

 
 [2018-01-30 16:08 UTC] c dot r dot l dot f at yandex dot ru
Description:
------------
Hello.

While conducting some tests, I noticed one feature, because of which the interpreter does not delete uploaded temporary files.

Using a simple script, you can send an unlimited number of files, which can be used to further attack on local applications (ex. LFI/RFI) or to exhaustion of disk space, which can result in denial of service.

Tested on:

PHP/7.1.12 + nginx/1.13.7 (TCP)
PHP 5.6.32 + nginx/1.10.3 (SOCK)
PHP 5.6.30 + nginx/1.1.19 (SOCK)
PHP 5.4.45 + nginx/1.2.1 (SOCK)
PHP 5.4.39 + nginx/1.2.1 (SOCK)

Maybe, other OS also affected, but I didn't test :(

Test script:
---------------
https://alt3r.eg0.ru/p0c5/12a636fcab5953233706dadacfff3ba8.txt


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-01 00:15 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2018-02-01 00:15 UTC] stas@php.net
Not sure what the security issue is here - if you allow uploads, people can upload. Does this happen when uploads are disabled or something like that?
 [2018-02-01 01:01 UTC] c dot r dot l dot f at yandex dot ru
-Status: Feedback +Status: Open
 [2018-02-01 01:01 UTC] c dot r dot l dot f at yandex dot ru
The problem is that PHP does not delete created temporary files (rfc1867) after connection is closed.

In the provided scenario, NGINX closes the connection before PHP writes something in it. Judging by the logs of strace, PHP gets SIGPIPE and for some reasons does not clear temporary files.

Thus, the attacker can upload temporary files while disk space is available. Only reboot or manual deleting this files will help.
 [2018-02-01 01:36 UTC] stas@php.net
Isn't that always the case when uploads are allowed - you can upload files until out of disk space, absent other limitations like quotas, etc.?
 [2018-02-01 02:06 UTC] c dot r dot l dot f at yandex dot ru
In default installations files uploads is always on, so any host that satisfies the dependencies (PHP+NGINX) can be attacked.

Please look video PoC:

https://alt3r.eg0.ru/p0c5/12a636fcab5953233706dadacfff3ba8.avi
 [2018-02-01 02:13 UTC] stas@php.net
So do I understand correctly the problem does not exist when file uploads are disabled?
 [2018-02-01 02:21 UTC] c dot r dot l dot f at yandex dot ru
Yep, I just checked it, it's not reproducible when file_uploads = Off.
 [2018-02-01 07:41 UTC] stas@php.net
-Type: Security +Type: Bug
 [2023-02-03 14:11 UTC] bukka@php.net
After some investigation of this I found another related private report that shed a bit more light on this issue. I was not actually able to use this reproducer even with some modifications as nginx was constantly returning 499. But managed to get a different one:

touch evil_upload; curl -F 'test=@evil_upload' http://localhost:8080/index.php >/dev/null 2>&1  & CPID=$! && echo $CPID && sleep 10 && kill -9  $CPID; rm evil_upload

The private report actually noted that it was due to bail out which I actually fixed as part of https://github.com/php/php-src/commit/3503b1daa265777588b3219b82219a0056675ca0 so the issue is fixed now.

I should say that this was definitely a security issue in my eyes as it is not true that you can upload files until out of disk space because we have got a limit max_upload_files. Stas probably didn't realise that the issue is happening even with this limit in place which should never happen and disk exhaustion is definitely a problem that should be treated as a security issue. So if you still manage to recreate this or similar issue with file uploads somehow, please report it as a new security issue.
 [2023-02-03 14:12 UTC] bukka@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: bukka
 [2023-02-03 14:14 UTC] bukka@php.net
I should also note that the fix is available from PHP 8.0.24
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 09:01:26 2024 UTC