[CentOS] php config security concern for c5
Joe Pruett
joey at clean.q7.comSat Nov 14 07:06:21 UTC 2009
- Previous message: [CentOS] pan news reader
- Next message: [CentOS] php config security concern for c5
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
a recent post on bugtraq hilighted an issue with how upstream has
configured apache to invoke php, namely using addhandler, which has the
behavior of matching the extension anywhere in the file. this means
that foo.php.jpg will be run as php. where this becomes an issue is web
apps that allow uploads into the webspace for images, pdfs, etc. if the
app assumes that anything.jpg is safe, this addhandler feature will
surprise it.
a fix is to replace two lines in /etc/httpd/conf.d/php.conf:
AddHandler php5-script .php
AddType text/html .php
with:
<FilesMatch \.php$>
SetHandler php5-script
ForceType text/html
</FilesMatch>
i have reported this upstream. hopefully they will see it as a problem
and address it.
- Previous message: [CentOS] pan news reader
- Next message: [CentOS] php config security concern for c5
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list