PHP :: Doc Bug #45229 :: "Insecure" Installation Configuration

Doc Bug #45229	"Insecure" Installation Configuration
Submitted:	2008-06-10 16:52 UTC	Modified:	2008-06-24 21:54 UTC
From:	phpbugs at rjharrison dot org	Assigned:
Status:	Closed	Package:	Documentation problem
PHP Version:	Irrelevant	OS:	*nix
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-06-10 16:52 UTC] phpbugs at rjharrison dot org

Description:
------------
The install instructions for *nix + Apache suggest a *potentially* *less secure* configuration of Apache. 

http://www.php.net/manual/en/install.unix.apache2.php

"AddType application/x-httpd-php .php .phtml"

The potential vulnerability involves how Apache handles files with multiple extensions. A file named exploit.php.xx.xx will be interpreted as PHP; so if a file was uploaded, a simple check on its extension against a blacklist (.php, .cgi etc) would allow a .php.xx.xx file to pass.

Put aside the issue of developer stupidity: instead of the AddType... configuration, we could change it to:-

<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>

Which I don't think has any side-effects and means only files with extension .php would be interpreted. 


Reproduce code:
---------------
[Vanilla Apache+PHP installation from source]

Filename: exploit.php.xx.xx
<?php
echo "Oh shit, this ran through PHP!";
?>

When you request http://localhost/exploit.php.xx.xx it will be interpreted by PHP.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-06-24 21:54 UTC] danbrown@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

I've been using that same method for quite some time on all of my servers as well.  Thanks for bringing it to our attention to add it into the documentation for others to benefit, too.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Apr 03 22:01:31 2025 UTC