[CentOS] php config security concern for c5

Joe Pruett joey at clean.q7.com
Mon Nov 16 16:42:31 UTC 2009


>> a recent post on bugtraq hilighted an issue with how upstream has
>> configured apache to invoke php, namely using addhandler, which has the
>> behavior of matching the extension anywhere in the file.  this means
>> that foo.php.jpg will be run as php.  where this becomes an issue is web
>> apps that allow uploads into the webspace for images, pdfs, etc.  if the
>> app assumes that anything.jpg is safe, this addhandler feature will
>> surprise it.
>
> Hi Joe,
>
> Are you sure this is limited to just CentOS? I've seen that config
> used before on other distro's apache configs.

i'm sure other distros use the same method, but i don't use any and this 
is the centos list, so that's all i'm talking about.

>
>> From the Apache 2.x Docs:
>
> ---
> Care should be taken when a file with multiple extensions gets
> associated with both a MIME-type and a handler. This will usually
> result in the request being by the module associated with the handler.
> For example, if the .imap  extension is mapped to the handler
> imap-file (from mod_imap) and the .html extension is mapped to the
> MIME-type text/html, then the file world.imap.html will be associated
> with both the imap-file handler and text/html MIME-type. When it is
> processed, the imap-file handler will be used, and so it will be
> treated as a mod_imap imagemap file.
> ---
>
> So if example.php.gif is read by apache, the AddHandler for
> php5-script (mod_php) will take precedence over the mime-type handler
> for .gif (image/gif) and the file will be treated as a php script.
>
>> From that it almost sounds like it's not a bug, just apache's own
> rules of precedence for handling files that match multiple
> extensions/mime-types.

i can understand why apache has this behaviour, but i think the bug is 
using it for handlers that can execute code.  since the expected behaviour 
can be obtained more safely with the filesmatch mechanism, it sure seems 
like an obvious change.


More information about the CentOS mailing list