I am not sure this necessarily refers to the upload temp directory.  Anyway, did you look at https://bugs.php.net/bug.php?id=74189 ?
(The port used in that log entry appears to be the one that Gitblit defaults to, incidentally.)

On Thu, Apr 8, 2021 at 3:48 PM Jeffrey Walton <noloader@gmail.com> wrote:
Hi Everyone,

I'm seeing some funny business in our log files.

[Thu Apr 08 10:52:20.225624 2021] [php7:notice] [pid 1823] [client
71.179.5.32:29418] PHP Notice:  Unknown: file created in the system's
temporary directory in Unknown on line 0, referer:
https://www.cryptopp.com/w/index.php?title=Linux&action=edit

We override the upload directory for Apache, so nothing should be
written to the system's temporary directory:

# grep -IR 'temp_dir' /etc
/etc/php/7.4/cli/php.ini:; Defaults to the system default (see sys_get_temp_dir)
/etc/php/7.4/cli/php.ini:;sys_temp_dir = "/tmp"
/etc/php/7.4/apache2/php.ini:; Defaults to the system default (see
sys_get_temp_dir)
/etc/php/7.4/apache2/php.ini:sys_temp_dir = "/var/lib/php/tmp"

And:

# ls -Al /var/lib/php
drwxr-xr-x 3 www-data www-data 4096 Mar 31 17:04 modules
drwx-wx-wt 2 www-data www-data 4096 Mar 27  2020 sessions
drwxr-xr-x 2 www-data www-data 4096 Apr  8 11:37 tmp

And:

# grep base /etc/php/7.4/apache2/conf.d/99-security.ini
open_basedir="/var/www/html/:/var/lib/php/"

We are not sure what is going on. I guess we missed a setting somewhere.

How is the attacker creating files on the system given they are not logged in?

Thanks in advance.

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l