ProcessWire CMS Resource-Exhaustion Denial-of-Service Vulnerability via Unrestricted ZIP Extraction

A denial-of-service vulnerability has been identified in ProcessWire CMS version 3.0.246. The issue arises from the application's handling of ZIP file uploads in the Language Support section. When a low-privileged user with 'lang-edit' permission uploads a ZIP file, it is extracted automatically and without any size or entry limits, prior to validation. This flaw can be exploited to cause significant resource exhaustion, leading to a degradation of site performance.

Impact

Exploitation of this vulnerability causes a resource-exhaustion denial-of-service, where the unbounded extraction of ZIP files leads to multi-GB storage use, CPU spikes, and disk I/O increases. This can cause PHP-FPM workers to stall, leading to timeouts in both the admin and front-end interfaces. If the disk fills up, it can cause cascading failures in session management, logging, caching, and background jobs, all of which can result in 500 errors and forced logouts.

Reproduction

The vulnerability can be reproduced by uploading a crafted ZIP file to the Language Support section of ProcessWire 3.0.246, using an account with 'lang-edit' permission. The uploaded ZIP file should be small and highly compressible, containing a large number of entries that expand significantly when extracted. Once uploaded, the file will be extracted in a temporary directory, leading to a rapid increase in disk usage and a spike in CPU and I/O activity, causing noticeable slowdowns across the site.

Remediation

Users can manually validate ZIP files before uploading them to the Language Support section. Additionally, a 'FileValidatorZIP' module could be developed to automate this process by rejecting archives that exceed certain thresholds for uncompressed size, entry count, or path depth.