Re: [Full-disclosure] Bug with .php extension?

Christopher Kunz writes: 

Well, actually, I think this is some kind of "feature" and is associated with
the behavior that is i.e. demonstrated on default installations of Apache (which
 have several index.html index.html.de .en .jp etc.), only that this time not
mod_negotiation, but mod_mime is responsible.

Not only is it a feature, it's documented:

<http://httpd.apache.org/docs/2.0/mod/mod_mime.html>

The docs note that the rightmost extension for a paricular category of meta data is used. The exeption is languages and encodings, where they accumulate instead.

Unknown extensions contribute nothing, and since they're unknown, it isn't known which category they aren't known for, so nothing happens with them.

So, anything dealing with Apache-served files must not look only at the file's suffix, but all positions.

To secure the user-upload area discussed earlier, you need to do one of:

- Sanitize to a known set of extensions and only allow known-valid groups of content, languate, and encoding extensions. (So .tar.gz is fine, but .php.gz is probably bad.)

- Disable PHP for the upload area (is this possible? I don't use PHP myself)

- Use ForceType to set a particular type. You've still got to worry about extension-based (instead of type-based) handlers and things link that.

- Put up the AddTypes for PHP types only in known-php directories. In this case, you would want your user upload area to be in a totally different place from your DocumentRoot so you don't get anything set on DocumentRoot leaking into the writable subdirectory. (That's a good idea in general, of course; any server directory with a different security policy from DocumentRoot should be somewhere other than under DocumentRoot.) 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Cant load extensions: "The specified module could not be found"
    ... I get the same problem with some other extensions as well -- not just cURL. ... These give the same error message (apart from the DLL name of course). ... I know that, generally, PHP *can* see the DLLs in the extensions folder. ... I'm running Apache 2 with PHP 4.4.6 on Windows XP. ...
    (alt.php)
  • Re: php in free(): error: junk pointer, too high to make sense
    ... I'm using FreeBSD 6.1 release on i386. ... I have a problem with pear and apache. ... php in free: error: junk pointer, ... Try reversing the order of extensions, ...
    (freebsd-stable)
  • Re: OS X 10.5.2
    ... If I need to install php from source it seems I will also have to compile apache, will this replace the versions of php and apache that are bundled with os x 10.5.2. ... I'm looking for a clean solution to this problem I don't want multiple versions etc. ... Maybe wait for an Apple guru as I don't use it, but normally you enable extensions in php.ini by uncommenting the line for 'extension=gd.so' or similar. ...
    (php.general)
  • Re: php5-5.2.3_1 / website behaves as if not enabled in httpd.conf
    ... I cannot start apache. ... > Copyright 1997-2007 The PHP Group ... I commented out all extensions and then brought them in one by one. ... The one which was causing core dumps was simplexml.so. ...
    (freebsd-questions)
  • Re: loaded latest edition of Apache http server on XP, and installed php on that server...
    ... You need to specify the document root (the directory that Apache will ... Once you set up your "DocumentRoot", place the files you want to run in ... ServerName www.glassangel.com.com:80 ... I suggest you take out all other extensions and add them back one at a time until you get the error again. ...
    (comp.lang.php)