[CentOS] php config security concern for c5

Sun Nov 15 10:59:46 UTC 2009
Drew <drew.kay at gmail.com>

> a recent post on bugtraq hilighted an issue with how upstream has
> configured apache to invoke php, namely using addhandler, which has the
> behavior of matching the extension anywhere in the file.  this means
> that foo.php.jpg will be run as php.  where this becomes an issue is web
> apps that allow uploads into the webspace for images, pdfs, etc.  if the
> app assumes that anything.jpg is safe, this addhandler feature will
> surprise it.

Hi Joe,

Are you sure this is limited to just CentOS? I've seen that config
used before on other distro's apache configs.

>From the Apache 2.x Docs:

---
Care should be taken when a file with multiple extensions gets
associated with both a MIME-type and a handler. This will usually
result in the request being by the module associated with the handler.
For example, if the .imap  extension is mapped to the handler
imap-file (from mod_imap) and the .html extension is mapped to the
MIME-type text/html, then the file world.imap.html will be associated
with both the imap-file handler and text/html MIME-type. When it is
processed, the imap-file handler will be used, and so it will be
treated as a mod_imap imagemap file.
---

So if example.php.gif is read by apache, the AddHandler for
php5-script (mod_php) will take precedence over the mime-type handler
for .gif (image/gif) and the file will be treated as a php script.

>From that it almost sounds like it's not a bug, just apache's own
rules of precedence for handling files that match multiple
extensions/mime-types.


-- 
Drew

"Nothing in life is to be feared. It is only to be understood."
--Marie Curie