php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #45229 "Insecure" Installation Configuration
Submitted: 2008-06-10 16:52 UTC Modified: 2008-06-24 21:54 UTC
From: phpbugs at rjharrison dot org Assigned:
Status: Closed Package: Documentation problem
PHP Version: Irrelevant OS: *nix
Private report: No CVE-ID: None
 [2008-06-10 16:52 UTC] phpbugs at rjharrison dot org
Description:
------------
The install instructions for *nix + Apache suggest a *potentially* *less secure* configuration of Apache. 

http://www.php.net/manual/en/install.unix.apache2.php

"AddType application/x-httpd-php .php .phtml"

The potential vulnerability involves how Apache handles files with multiple extensions. A file named exploit.php.xx.xx will be interpreted as PHP; so if a file was uploaded, a simple check on its extension against a blacklist (.php, .cgi etc) would allow a .php.xx.xx file to pass.

Put aside the issue of developer stupidity: instead of the AddType... configuration, we could change it to:-

<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>

Which I don't think has any side-effects and means only files with extension .php would be interpreted. 


Reproduce code:
---------------
[Vanilla Apache+PHP installation from source]

Filename: exploit.php.xx.xx
<?php
echo "Oh shit, this ran through PHP!";
?>

When you request http://localhost/exploit.php.xx.xx it will be interpreted by PHP.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-24 21:54 UTC] danbrown@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

I've been using that same method for quite some time on all of my servers as well.  Thanks for bringing it to our attention to add it into the documentation for others to benefit, too.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed May 25 07:05:45 2022 UTC