[CentOS] php config security concern for c5

Joe Pruett joey at clean.q7.com
Sat Nov 14 07:06:21 UTC 2009


a recent post on bugtraq hilighted an issue with how upstream has 
configured apache to invoke php, namely using addhandler, which has the 
behavior of matching the extension anywhere in the file.  this means 
that foo.php.jpg will be run as php.  where this becomes an issue is web 
apps that allow uploads into the webspace for images, pdfs, etc.  if the 
app assumes that anything.jpg is safe, this addhandler feature will 
surprise it.

a fix is to replace two lines in /etc/httpd/conf.d/php.conf:

AddHandler php5-script .php
AddType text/html .php

with:

<FilesMatch \.php$>
    SetHandler php5-script
    ForceType text/html
</FilesMatch>


i have reported this upstream.  hopefully they will see it as a problem 
and address it.


More information about the CentOS mailing list