| 1 |
On 04/26/2015 04:04 AM, Mick wrote: |
| 2 |
> |
| 3 |
> Hmm ... I am probably affected by this change too. Running find for '*.php.*' |
| 4 |
> et al, comes up with a tonne of files like this: |
| 5 |
> |
| 6 |
> /var/www/My_Website_Name/htdocs/modules/simpletest/tests/upgrade/drupal-7.filled.minimal.database.php.gz |
| 7 |
> |
| 8 |
> If I were to manually install protection, as suggested in the news item, where |
| 9 |
> should I be doing this? In (umpteen) .htaccess files for each vhost, or |
| 10 |
> somewhere in /etc/apache2/* |
| 11 |
> |
| 12 |
|
| 13 |
That's only a problem if those php.gz files can be uploaded by an |
| 14 |
untrusted user (and you want to stop them). |
| 15 |
|
| 16 |
That's a Drupal site, right? If you allow anonymous users to create |
| 17 |
accounts and upload files, then I could create an "mjo" account on your |
| 18 |
site and upload exploit.php.html to sites/default/files/mjo. Then I |
| 19 |
could visit, |
| 20 |
|
| 21 |
http://example.org/sites/default/files/mjo/exploit.php.html |
| 22 |
|
| 23 |
and it would run the script with the permissions of your web server. So, |
| 24 |
it could probably read the database password out of |
| 25 |
sites/default/settings.php. |
| 26 |
|
| 27 |
The half-assed way to prevent that is to block uploads of *.php files, |
| 28 |
but the point of the vulnerability is that not only PHP files will be |
| 29 |
executed. A better way is to disable the PHP engine entirely on any user |
| 30 |
upload directories. There was actually a Drupal CVE for that: |
| 31 |
|
| 32 |
https://www.drupal.org/SA-CORE-2013-003 |
| 33 |
|
| 34 |
And yeah, you should do that on every user-upload directory for every |
| 35 |
website you have. It sucks but you can use mod_macro if you have more |
| 36 |
than one e.g. Drupal site. I've got this in our Drupal macro: |
| 37 |
|
| 38 |
<Directory "/var/www/$domain/$host/public/sites/*/files"> |
| 39 |
# Deny access to user-uploaded PHP files. |
| 40 |
<Files "*.php"> |
| 41 |
Require all denied |
| 42 |
</Files> |
| 43 |
</Directory> |
| 44 |
|
| 45 |
But maybe it's safer to use, |
| 46 |
|
| 47 |
<Directory "/var/www/$domain/$host/public/sites/*/files"> |
| 48 |
<Files "*"> |
| 49 |
php_flag engine off |
| 50 |
</Files> |
| 51 |
</Directory> |
Archives