Re: Bug with .php extension?

["Graham Reed" <greed () pobox com>]

Christopher Kunz writes: 

> Well, actually, I think this is some kind of "feature" and is associated with
> the behavior that is i.e. demonstrated on default installations of Apache (which
>  have several index.html index.html.de .en .jp etc.), only that this time not
> mod_negotiation, but mod_mime is responsible.

Not only is it a feature, it's documented: 

<http://httpd.apache.org/docs/2.0/mod/mod_mime.html> 

The docs note that the rightmost extension for a paricular category of meta 
data is used.  The exeption is languages and encodings, where they 
accumulate instead. 

Unknown extensions contribute nothing, and since they're unknown, it isn't 
known which category they aren't known for, so nothing happens with them. 

So, anything dealing with Apache-served files must not look only at the 
file's suffix, but all positions. 

To secure the user-upload area discussed earlier, you need to do one of: 

- Sanitize to a known set of extensions and only allow known-valid groups of 
content, languate, and encoding extensions.  (So .tar.gz is fine, but 
.php.gz is probably bad.) 

- Disable PHP for the upload area (is this possible?  I don't use PHP 
myself) 

- Use ForceType to set a particular type.  You've still got to worry about 
extension-based (instead of type-based) handlers and things link that. 

- Put up the AddTypes for PHP types only in known-php directories.   In this 
case, you would want your user upload area to be in a totally different 
place from your DocumentRoot so you don't get anything set on DocumentRoot 
leaking into the writable subdirectory.  (That's a good idea in general, of 
course; any server directory with a different security policy from 
DocumentRoot should be somewhere other than under DocumentRoot.) 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/