1 |
On Sunday 26 Apr 2015 18:14:32 Michael Orlitzky wrote: |
2 |
> On 04/26/2015 04:04 AM, Mick wrote: |
3 |
> > Hmm ... I am probably affected by this change too. Running find for |
4 |
> > '*.php.*' et al, comes up with a tonne of files like this: |
5 |
> > |
6 |
> > /var/www/My_Website_Name/htdocs/modules/simpletest/tests/upgrade/drupal-7 |
7 |
> > .filled.minimal.database.php.gz |
8 |
> > |
9 |
> > If I were to manually install protection, as suggested in the news item, |
10 |
> > where should I be doing this? In (umpteen) .htaccess files for each |
11 |
> > vhost, or somewhere in /etc/apache2/* |
12 |
> |
13 |
> That's only a problem if those php.gz files can be uploaded by an |
14 |
> untrusted user (and you want to stop them). |
15 |
> |
16 |
> That's a Drupal site, right? If you allow anonymous users to create |
17 |
> accounts and upload files, then I could create an "mjo" account on your |
18 |
> site and upload exploit.php.html to sites/default/files/mjo. Then I |
19 |
> could visit, |
20 |
> |
21 |
> http://example.org/sites/default/files/mjo/exploit.php.html |
22 |
> |
23 |
> and it would run the script with the permissions of your web server. So, |
24 |
> it could probably read the database password out of |
25 |
> sites/default/settings.php. |
26 |
> |
27 |
> The half-assed way to prevent that is to block uploads of *.php files, |
28 |
> but the point of the vulnerability is that not only PHP files will be |
29 |
> executed. A better way is to disable the PHP engine entirely on any user |
30 |
> upload directories. There was actually a Drupal CVE for that: |
31 |
> |
32 |
> https://www.drupal.org/SA-CORE-2013-003 |
33 |
> |
34 |
> And yeah, you should do that on every user-upload directory for every |
35 |
> website you have. It sucks but you can use mod_macro if you have more |
36 |
> than one e.g. Drupal site. I've got this in our Drupal macro: |
37 |
> |
38 |
> <Directory "/var/www/$domain/$host/public/sites/*/files"> |
39 |
> # Deny access to user-uploaded PHP files. |
40 |
> <Files "*.php"> |
41 |
> Require all denied |
42 |
> </Files> |
43 |
> </Directory> |
44 |
> |
45 |
> But maybe it's safer to use, |
46 |
> |
47 |
> <Directory "/var/www/$domain/$host/public/sites/*/files"> |
48 |
> <Files "*"> |
49 |
> php_flag engine off |
50 |
> </Files> |
51 |
> </Directory> |
52 |
|
53 |
Ah! Yes, I have these directives in the drupal 6 & 7 sites .htaccess files, |
54 |
as per the advisory you mention. |
55 |
|
56 |
Thank you for your explanation. |
57 |
|
58 |
When you say macro, is this something the webapp -U will apply, or is this |
59 |
some of your own brew of scripts and if so where do you apply it? |
60 |
|
61 |
-- |
62 |
Regards, |
63 |
Mick |