Saiweb » vulnerability http://www.saiweb.co.uk Ramblings of a Sys admin Mon, 06 Feb 2012 14:57:49 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Apache 2.2.3 dual extention vulnerability http://www.saiweb.co.uk/uncategorized/apache-2-2-3-dual-extention-vulnerability http://www.saiweb.co.uk/uncategorized/apache-2-2-3-dual-extention-vulnerability#comments Tue, 05 Jan 2010 11:33:17 +0000 Buzz http://www.saiweb.co.uk/?p=802 Redhat bug 537535

Take for instance this code saved as test.php.png

1
2
3
<?PHP
print_r($_POST);
?>

Low and behold this will render out the entire post array! and will interpret the php itself, now lets be clear here the proper use of selinux and directory structures to prevent UGC from being allowed to be access directly and / or run arbitrary code would of prevented this, however as is often the case the setup is such that the preventative conditions could not / are not deployed.

At any rate this bug comes courtesy of the apache AddHandler directive,

1
AddHandler x-httpd-php .php

The statement above seems to ‘loose’ match the .php extension meaning a file simply only contain .php anywhere in it’s filename to be interpreted as PHP.

The suggested work around for this is as follows:

1
2
3
4
5
#Workaround for bug here: https://bugzilla.redhat.com/show_bug.cgi?id=537535
<FilesMatch \.php$>
SetHandler x-httpd-php
ForceType text/html
</FilesMatch>

Note this does not effect the AddType directive, after testing on the same version using:

1
AddType application/x-httpd-php .php

Is not effected by this ‘bug’.

]]> http://www.saiweb.co.uk/uncategorized/apache-2-2-3-dual-extention-vulnerability/feed 1