Full Disclosure mailing list archives
Re: Bug with .php extension?
From: "Graham Reed" <greed () pobox com>
Date: Tue, 06 Dec 2005 14:22:07 -0500
Christopher Kunz writes:
Well, actually, I think this is some kind of "feature" and is associated with the behavior that is i.e. demonstrated on default installations of Apache (which have several index.html index.html.de .en .jp etc.), only that this time not mod_negotiation, but mod_mime is responsible.
Not only is it a feature, it's documented: <http://httpd.apache.org/docs/2.0/mod/mod_mime.html> The docs note that the rightmost extension for a paricular category of meta data is used. The exeption is languages and encodings, where they accumulate instead. Unknown extensions contribute nothing, and since they're unknown, it isn't known which category they aren't known for, so nothing happens with them. So, anything dealing with Apache-served files must not look only at the file's suffix, but all positions. To secure the user-upload area discussed earlier, you need to do one of: - Sanitize to a known set of extensions and only allow known-valid groups of content, languate, and encoding extensions. (So .tar.gz is fine, but .php.gz is probably bad.) - Disable PHP for the upload area (is this possible? I don't use PHP myself) - Use ForceType to set a particular type. You've still got to worry about extension-based (instead of type-based) handlers and things link that. - Put up the AddTypes for PHP types only in known-php directories. In this case, you would want your user upload area to be in a totally different place from your DocumentRoot so you don't get anything set on DocumentRoot leaking into the writable subdirectory. (That's a good idea in general, of course; any server directory with a different security policy from DocumentRoot should be somewhere other than under DocumentRoot.)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Bug with .php extension?, (continued)
- Re: Bug with .php extension? Chris Umphress (Dec 04)
- Re: Bug with .php extension? Stanza (Dec 05)
- Re: Bug with .php extension? Simon Richter (Dec 05)
- Re: Bug with .php extension? Michael Ligh (Dec 05)
- Re: Bug with .php extension? Ron (Dec 05)
- RE: Bug with .php extension? Krpata, Tyler (Dec 05)
- Re: Bug with .php extension? John Bond (Dec 05)
- Re: Bug with .php extension? John Bond (Dec 05)
- Re: Bug with .php extension? John Bond (Dec 05)
- Re: Bug with .php extension? z3n (Dec 06)
- Re: Bug with .php extension? Christopher Kunz (Dec 06)
- Re: Bug with .php extension? Graham Reed (Dec 06)
- Re: Bug with .php extension? Matthew Murphy (Dec 06)
- Re: Bug with .php extension? Christopher Kunz (Dec 06)
- Re: Bug with .php extension? Chris Umphress (Dec 04)