A few days ago I had an interesting discussion with a friend (hi Felix ;>) about methods of exploiting Local File Inclusion bug in PHP. During it, an interesting idea came to my mind, about using temporary files created by the PHP engine while you send a packed with "attached" files (i.e. upload files) (please note that this is not the same as including an uploaded file ;>). I've decided to write a paper on this, but it later occurred that this method is actually known to some parties, but it seems it's not common knowledge (in opposition to e.g. including Apache logs or /proc/self/environ), so I decided to even the odds and publish the paper anyway.

PHP LFI to arbitratry code execution via rfc1867 file upload temporary files (EN)
PHP_LFI_rfc1867_temporary_files.pdf (169KB)

Summary:
- this method works like a charm on Windows (http://site/?page=C:\Windows\Temp\php<<)
- trick with << in FindFirstFile ftw!
- this method works in some very specific cases on Linux-based OS'es (and doesn't work in other cases)
- GetTempFileName in WinAPI is surprisingly weak
- but mkstemp from GNU lib C is surprisingly strong

Communication:
2011-03-16 - PHP team gets a "heads up", some e-mails get exchanged; they don't request delaying the publication (no surprise here)
2011-03-18 - publication

Thanks to:
Felix Gröbert for the interesting discussion that led to this article :)
phunk for letting me know about prior knowledge of this method

And that's that,

UPDATE 1 (2011-03-19, 7am)
EdiStrosar has tweeted about an upload related DoS, patched in PHP 5.3.1. Quite interesting :)