PHP :: Doc Bug #45229 :: "Insecure" Installation Configuration

Doc Bug #45229	"Insecure" Installation Configuration
Submitted:	2008-06-10 16:52 UTC	Modified:	2008-06-24 21:54 UTC
From:	phpbugs at rjharrison dot org	Assigned:
Status:	Closed	Package:	Documentation problem
PHP Version:	Irrelevant	OS:	*nix
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 33 + 4 = ?
Subscribe to this entry?

[2008-06-10 16:52 UTC] phpbugs at rjharrison dot org

Description:
------------
The install instructions for *nix + Apache suggest a *potentially* *less secure* configuration of Apache. 

http://www.php.net/manual/en/install.unix.apache2.php

"AddType application/x-httpd-php .php .phtml"

The potential vulnerability involves how Apache handles files with multiple extensions. A file named exploit.php.xx.xx will be interpreted as PHP; so if a file was uploaded, a simple check on its extension against a blacklist (.php, .cgi etc) would allow a .php.xx.xx file to pass.

Put aside the issue of developer stupidity: instead of the AddType... configuration, we could change it to:-

<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>

Which I don't think has any side-effects and means only files with extension .php would be interpreted. 


Reproduce code:
---------------
[Vanilla Apache+PHP installation from source]

Filename: exploit.php.xx.xx
<?php
echo "Oh shit, this ran through PHP!";
?>

When you request http://localhost/exploit.php.xx.xx it will be interpreted by PHP.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-06-24 21:54 UTC] danbrown@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

I've been using that same method for quite some time on all of my servers as well.  Thanks for bringing it to our attention to add it into the documentation for others to benefit, too.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 07:01:27 2024 UTC