a recent post on bugtraq hilighted an issue with how upstream has
configured apache to invoke php, namely using addhandler, which has the
behavior of matching the extension anywhere in the file. this means
that foo.php.jpg will be run as php. where this becomes an issue is web
apps that allow uploads into the webspace for images, pdfs, etc. if the
app assumes that anything.jpg is safe, this addhandler feature will
surprise it.
a fix is to replace two lines in /etc/httpd/conf.d/php.conf:
AddHandler php5-script .php
AddType text/html .php
with:
<FilesMatch \.php$>
SetHandler php5-script
ForceType text/html
</FilesMatch>
i have reported this upstream. hopefully they will see it as a problem
and address it.