1 |
Next round: |
2 |
|
3 |
* Recipe for handling "\.(php|php5|phtml|phps)\." manually added |
4 |
|
5 |
* AddType (with similar problems) mentioned, too |
6 |
|
7 |
* Typo "momment" fixed |
8 |
|
9 |
(* Internel revision bump to 3, will be committed as revision 1) |
10 |
|
11 |
(* Date bumped to today) |
12 |
|
13 |
(* Links renumbered due to new link [2]) |
14 |
|
15 |
|
16 |
================================================================ |
17 |
Title: Apache AddHandler/AddType vulnerability protection |
18 |
Author: Sebastian Pipping <sping@g.o> |
19 |
Content-Type: text/plain |
20 |
Posted: 2015-03-30 |
21 |
Revision: 3 |
22 |
News-Item-Format: 1.0 |
23 |
Display-If-Installed: www-servers/apache |
24 |
|
25 |
Apache's directives AddHandler [1] (and AddType [2]) can be used |
26 |
to map certain file name extensions (e.g. .php) to a handler |
27 |
(e.g. application/x-httpd-php). While a line like |
28 |
|
29 |
AddHandler application/x-httpd-php .php .php5 .phtml |
30 |
|
31 |
matches index.php, it also matches index.php.png. |
32 |
|
33 |
Apache's notes on multiple file extensions [3] document |
34 |
a multi-language website as a context where that behavior |
35 |
may be helpful. Unfortunately, it can be a security threat. |
36 |
|
37 |
Combined with (not just PHP) applications that support |
38 |
file upload, the AddHandler/AddType directive can get you into |
39 |
remote code execution situations. |
40 |
|
41 |
That is why app-admin/eselect-php now avoids AddHandler |
42 |
and is shipping |
43 |
|
44 |
<FilesMatch "\.(php|php5|phtml)$"> |
45 |
SetHandler application/x-httpd-php |
46 |
</FilesMatch> |
47 |
|
48 |
instead. |
49 |
|
50 |
|
51 |
Why this news entry? |
52 |
|
53 |
* Since Apache configuration lives below /etc, |
54 |
you need to run etc-update (or a substitute) |
55 |
to actually have related fixes applied. |
56 |
|
57 |
* If you are currently relying on AddHandler to execute |
58 |
secret_database_stuff.php.inc, moving away from AddHandler |
59 |
could result in serving your database credentials in plain |
60 |
text. A command like |
61 |
|
62 |
find /var/www/ -name '*.php.*' \ |
63 |
-o -name '*.php5.*' \ |
64 |
-o -name '*.phtml.*' |
65 |
|
66 |
may help discovering PHP files that would no longer be executed. |
67 |
|
68 |
Shipping automatic protection for this scenario is not trivial, |
69 |
but you could manually install protection based on this recipe: |
70 |
|
71 |
<FilesMatch "\.(php|php5|phtml|phps)\."> |
72 |
# a) Apache 2.2 / Apache 2.4 + mod_access_compat |
73 |
#Order Deny,Allow |
74 |
#Deny from all |
75 |
|
76 |
# b) Apache 2.4 + mod_authz_core |
77 |
#Require all denied |
78 |
|
79 |
# c) Apache 2.x + mod_rewrite |
80 |
#RewriteEngine on |
81 |
#RewriteRule .* - [R=404,L] |
82 |
</FilesMatch> |
83 |
|
84 |
* You may be using AddHandler (or AddType) at other places, |
85 |
including off-package files. Please have a look. |
86 |
|
87 |
* app-admin/eselect-php is not the only package |
88 |
affected. There is a dedicated tracker bug at [4]. |
89 |
As of the moment, affected packages include: |
90 |
|
91 |
app-admin/eselect-php[apache2] |
92 |
dev-lang/php[apache2] |
93 |
net-nds/gosa-core |
94 |
www-apache/mod_fastcgi |
95 |
www-apache/mod_flvx |
96 |
www-apache/mod_python |
97 |
www-apache/mod_suphp |
98 |
www-apps/moinmoin |
99 |
www-apps/rt[-lighttpd] |
100 |
|
101 |
|
102 |
Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer. |
103 |
|
104 |
[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler |
105 |
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype |
106 |
[3] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext |
107 |
[4] https://bugs.gentoo.org/show_bug.cgi?id=544560 |