Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability
Date: Sun, 26 Apr 2015 21:49:10
Message-Id: 201504262248.51228.michaelkintzios@gmail.com
In Reply to: Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability by Michael Orlitzky
1 On Sunday 26 Apr 2015 18:14:32 Michael Orlitzky wrote:
2 > On 04/26/2015 04:04 AM, Mick wrote:
3 > > Hmm ... I am probably affected by this change too. Running find for
4 > > '*.php.*' et al, comes up with a tonne of files like this:
5 > >
6 > > /var/www/My_Website_Name/htdocs/modules/simpletest/tests/upgrade/drupal-7
7 > > .filled.minimal.database.php.gz
8 > >
9 > > If I were to manually install protection, as suggested in the news item,
10 > > where should I be doing this? In (umpteen) .htaccess files for each
11 > > vhost, or somewhere in /etc/apache2/*
12 >
13 > That's only a problem if those php.gz files can be uploaded by an
14 > untrusted user (and you want to stop them).
15 >
16 > That's a Drupal site, right? If you allow anonymous users to create
17 > accounts and upload files, then I could create an "mjo" account on your
18 > site and upload exploit.php.html to sites/default/files/mjo. Then I
19 > could visit,
20 >
21 > http://example.org/sites/default/files/mjo/exploit.php.html
22 >
23 > and it would run the script with the permissions of your web server. So,
24 > it could probably read the database password out of
25 > sites/default/settings.php.
26 >
27 > The half-assed way to prevent that is to block uploads of *.php files,
28 > but the point of the vulnerability is that not only PHP files will be
29 > executed. A better way is to disable the PHP engine entirely on any user
30 > upload directories. There was actually a Drupal CVE for that:
31 >
32 > https://www.drupal.org/SA-CORE-2013-003
33 >
34 > And yeah, you should do that on every user-upload directory for every
35 > website you have. It sucks but you can use mod_macro if you have more
36 > than one e.g. Drupal site. I've got this in our Drupal macro:
37 >
38 > <Directory "/var/www/$domain/$host/public/sites/*/files">
39 > # Deny access to user-uploaded PHP files.
40 > <Files "*.php">
41 > Require all denied
42 > </Files>
43 > </Directory>
44 >
45 > But maybe it's safer to use,
46 >
47 > <Directory "/var/www/$domain/$host/public/sites/*/files">
48 > <Files "*">
49 > php_flag engine off
50 > </Files>
51 > </Directory>
52
53 Ah! Yes, I have these directives in the drupal 6 & 7 sites .htaccess files,
54 as per the advisory you mention.
55
56 Thank you for your explanation.
57
58 When you say macro, is this something the webapp -U will apply, or is this
59 some of your own brew of scripts and if so where do you apply it?
60
61 --
62 Regards,
63 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability Michael Orlitzky <mjo@g.o>