RE: Bug with .php extension?

["Krpata, Tyler" <tkrpata () bjs com>]

It doesn't seem to matter if the mime type is known or not, for example
foo.php.txt and foo.php.html are both interpreted as PHP scripts on my
test server. (Apache/2.0.54)

-----Original Message-----
From: Stanza [mailto:d.stanzani () gmail com] 
Sent: Monday, December 05, 2005 5:25 AM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Bug with .php extension?

I suppose this is a great bug. It work also on apache 2. If a user can
upload a file and it's extension isn't associated to a mime-type, the
server processes it as a php file..

Stanza
On 12/5/05, Chris Umphress <umphress () gmail com> wrote:
> On 12/4/05, Ron <iago () valhallalegends com> wrote:
> > I'm not sure whether this is something that's well known, but I've 
> > never seen anything about it, and I nearly got burned by it, so I 
> > figured I'd post it here.
> >
> > In Apache 1.3.33 (untested on any other version), if you have a file

> > called file.php.bak, and you navigate to it in the browser, it will 
> > run on the server as a .php file.  This works with any extension 
> > that isn't known to the server (.rar, .bak, .test, .java, .cpp, .c, 
> > etc.)
> >
> > This can impact upload scripts, if they don't rename.  I had a 
> > script that was only allowing a very limited number of file names, 
> > including .rar.  I realized that I could upload the file 
> > test.php.rar, as demonstrated here:
> > http://www.javaop.com/~iago/test.php.rar
> >
> > (I assure you that that's a .php script, not just that text file).
>
> Whoa, that's interesting. Testing on Apache 2.0.54 gets the same
result.
> $ echo "<?php echo 'test'; ?>">/path/to/htdocs/test.php.rar $ wget 
> http://localhost/test.php.rar -O /tmp/test.txt $ cat 
> /tmp/test.text;echo
>
> Prints "test". I hadn't heard about this. Thankfully, my webserver 
> isn't susceptible to such attacks, let me show you why. In my 
> httpd.conf file, I have:
>
> Alias /uploads/ "/var/www/htdocs/"
> Alias /uploads "/var/www/htdocs/"
>
> First, I'm not naming the real directory.... Second, if someone did 
> find the upload directory, they would be redirected to the root of the

> server. They couldn't run the script on my server no matter how hard 
> they tried.
>
> Thanks for the information.
>
> --
> Chris Umphress <http://daga.dyndns.org/> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/