1 |
On 26.03.2015 18:02, Michael Orlitzky wrote: |
2 |
> The most important reason is missing =) |
3 |
> |
4 |
> If you are relying on the AddHandler behavior to execute |
5 |
> secret_database_stuff.php.inc, then once the change is made, Apache will |
6 |
> begin serving up your database credentials in plain text. |
7 |
|
8 |
Good point. |
9 |
|
10 |
|
11 |
Changes: |
12 |
|
13 |
* Revision bump |
14 |
|
15 |
* Add section on .php.inc |
16 |
|
17 |
* Add thanks line |
18 |
|
19 |
|
20 |
================================================================ |
21 |
Title: Apache AddHandler vulnerability protection |
22 |
Author: Sebastian Pipping <sping@g.o> |
23 |
Content-Type: text/plain |
24 |
Posted: 2015-03-26 |
25 |
Revision: 2 |
26 |
News-Item-Format: 1.0 |
27 |
Display-If-Installed: www-servers/apache |
28 |
|
29 |
Apache's directive AddHandler [1] can be used to map |
30 |
certain file name extensions (e.g. .php) to a handler |
31 |
(e.g. application/x-httpd-php). While a line like |
32 |
|
33 |
AddHandler application/x-httpd-php .php .php5 .phtml |
34 |
|
35 |
matches index.php, it also matches index.php.png. |
36 |
|
37 |
Apache's notes on multiple file extensions [2] document |
38 |
a multi-language website as a context where that behavior |
39 |
may be helpful. Unfortunately, it can be a security threat. |
40 |
|
41 |
Combined with (not just PHP) applications that support |
42 |
file upload, the AddHandler directive can get you into |
43 |
remote code execution situations. |
44 |
|
45 |
That is why app-admin/eselect-php now avoids AddHandler |
46 |
and is shipping |
47 |
|
48 |
<FilesMatch "\.(php|php5|phtml)$"> |
49 |
SetHandler application/x-httpd-php |
50 |
</FilesMatch> |
51 |
|
52 |
instead. |
53 |
|
54 |
|
55 |
Why this news entry? |
56 |
|
57 |
* Since Apache configuration lives below /etc, |
58 |
you need to run etc-update (or a substitute) |
59 |
to actually have related fixes applied. |
60 |
|
61 |
* If you are currently relying on AddHandler to execute |
62 |
secret_database_stuff.php.inc, moving away from AddHandler |
63 |
could result in serving your database credentials in plain |
64 |
text. A command like |
65 |
|
66 |
find /var/www/ -name '*.php.*' \ |
67 |
-o -name '*.php5.*' \ |
68 |
-o -name '*.phtml.*' |
69 |
|
70 |
may help discovering PHP files that would no longer be executed. |
71 |
|
72 |
* You may be using AddHandler at other places, |
73 |
including off-package files. Please have a look. |
74 |
|
75 |
* app-admin/eselect-php is not the only package |
76 |
affected. There is a dedicated tracker bug at [3]. |
77 |
As of the momment, affected packages include: |
78 |
|
79 |
app-admin/eselect-php[apache2] |
80 |
dev-lang/php[apache2] |
81 |
net-nds/gosa-core |
82 |
www-apache/mod_fastcgi |
83 |
www-apache/mod_flvx |
84 |
www-apache/mod_python |
85 |
www-apache/mod_suphp |
86 |
www-apps/moinmoin |
87 |
www-apps/rt[-lighttpd] |
88 |
|
89 |
|
90 |
Thanks to Nico Suhl and Michael Orlitzky. |
91 |
|
92 |
[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler |
93 |
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext |
94 |
[3] https://bugs.gentoo.org/show_bug.cgi?id=544560 |