|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #45229 "Insecure" Installation Configuration
Submitted: 2008-06-10 16:52 UTC Modified: 2008-06-24 21:54 UTC
From: phpbugs at rjharrison dot org Assigned:
Status: Closed Package: Documentation problem
PHP Version: Irrelevant OS: *nix
Private report: No CVE-ID: None
 [2008-06-10 16:52 UTC] phpbugs at rjharrison dot org
The install instructions for *nix + Apache suggest a *potentially* *less secure* configuration of Apache.

"AddType application/x-httpd-php .php .phtml"

The potential vulnerability involves how Apache handles files with multiple extensions. A file named exploit.php.xx.xx will be interpreted as PHP; so if a file was uploaded, a simple check on its extension against a blacklist (.php, .cgi etc) would allow a .php.xx.xx file to pass.

Put aside the issue of developer stupidity: instead of the AddType... configuration, we could change it to:-

<FilesMatch \.php$>
SetHandler application/x-httpd-php

Which I don't think has any side-effects and means only files with extension .php would be interpreted. 

Reproduce code:
[Vanilla Apache+PHP installation from source]

Filename: exploit.php.xx.xx
echo "Oh shit, this ran through PHP!";

When you request http://localhost/exploit.php.xx.xx it will be interpreted by PHP.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-24 21:54 UTC]
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

I've been using that same method for quite some time on all of my servers as well.  Thanks for bringing it to our attention to add it into the documentation for others to benefit, too.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 20 16:01:35 2024 UTC