| 1 |
Hi! |
| 2 |
|
| 3 |
|
| 4 |
In context of |
| 5 |
|
| 6 |
https://bugs.gentoo.org/show_bug.cgi?id=538822 |
| 7 |
|
| 8 |
mjo and agreed that a portage news item would be a good idea. |
| 9 |
Please review my proposal below. Thank you! |
| 10 |
|
| 11 |
Best, |
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
Sebastian |
| 16 |
|
| 17 |
|
| 18 |
=========================================================== |
| 19 |
Title: Apache AddHandler vulnerability protection |
| 20 |
Author: Sebastian Pipping <sping@g.o> |
| 21 |
Content-Type: text/plain |
| 22 |
Posted: 2015-03-26 |
| 23 |
Revision: 1 |
| 24 |
News-Item-Format: 1.0 |
| 25 |
Display-If-Installed: www-servers/apache |
| 26 |
|
| 27 |
Apache's directive AddHandler [1] can be used to map |
| 28 |
certain file name extensions (e.g. .php) to a handler |
| 29 |
(e.g. application/x-httpd-php). While a line like |
| 30 |
|
| 31 |
AddHandler application/x-httpd-php .php .php5 .phtml |
| 32 |
|
| 33 |
matches index.php, it also matches index.php.png. |
| 34 |
|
| 35 |
Apache's notes on multiple file extensions [2] document |
| 36 |
a multi-language website as a context where that behavior |
| 37 |
may be helpful. Unfortunately, it can be a security threat. |
| 38 |
|
| 39 |
Combined with (not just PHP) applications that support |
| 40 |
file upload, the AddHandler directive can get you into |
| 41 |
remote code execution situations. |
| 42 |
|
| 43 |
That is why app-admin/eselect-php now avoids AddHandler |
| 44 |
and is shipping |
| 45 |
|
| 46 |
<FilesMatch "\.(php|php5|phtml)$"> |
| 47 |
SetHandler application/x-httpd-php |
| 48 |
</FilesMatch> |
| 49 |
|
| 50 |
instead. |
| 51 |
|
| 52 |
|
| 53 |
Why this news entry? |
| 54 |
|
| 55 |
* Since Apache configuration lives below /etc, |
| 56 |
you need to run etc-update (or a substitute) |
| 57 |
to actually have related fixes applied. |
| 58 |
|
| 59 |
* You may be using AddHandler at other places, |
| 60 |
including off-package files. Please have a look. |
| 61 |
|
| 62 |
* app-admin/eselect-php is not the only package |
| 63 |
affected. There is a dedicated tracker bug at [3]. |
| 64 |
As of the momment, affected packages include: |
| 65 |
|
| 66 |
app-admin/eselect-php[apache2] |
| 67 |
dev-lang/php[apache2] |
| 68 |
net-nds/gosa-core |
| 69 |
www-apache/mod_fastcgi |
| 70 |
www-apache/mod_flvx |
| 71 |
www-apache/mod_python |
| 72 |
www-apache/mod_suphp |
| 73 |
www-apps/moinmoin |
| 74 |
www-apps/rt[-lighttpd] |
| 75 |
|
| 76 |
|
| 77 |
[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler |
| 78 |
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext |
| 79 |
[3] https://bugs.gentoo.org/show_bug.cgi?id=544560 |
Archives