[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-disclosure] Bug with .php extension?
- To: "Stanza" <d.stanzani@xxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: RE: [Full-disclosure] Bug with .php extension?
- From: "Krpata, Tyler" <tkrpata@xxxxxxx>
- Date: Mon, 5 Dec 2005 09:56:14 -0500
It doesn't seem to matter if the mime type is known or not, for example
foo.php.txt and foo.php.html are both interpreted as PHP scripts on my
test server. (Apache/2.0.54)
-----Original Message-----
From: Stanza [mailto:d.stanzani@xxxxxxxxx]
Sent: Monday, December 05, 2005 5:25 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Bug with .php extension?
I suppose this is a great bug. It work also on apache 2. If a user can
upload a file and it's extension isn't associated to a mime-type, the
server processes it as a php file..
Stanza
On 12/5/05, Chris Umphress <umphress@xxxxxxxxx> wrote:
> On 12/4/05, Ron <iago@xxxxxxxxxxxxxxxxxxx> wrote:
> > I'm not sure whether this is something that's well known, but I've
> > never seen anything about it, and I nearly got burned by it, so I
> > figured I'd post it here.
> >
> > In Apache 1.3.33 (untested on any other version), if you have a file
> > called file.php.bak, and you navigate to it in the browser, it will
> > run on the server as a .php file. This works with any extension
> > that isn't known to the server (.rar, .bak, .test, .java, .cpp, .c,
> > etc.)
> >
> > This can impact upload scripts, if they don't rename. I had a
> > script that was only allowing a very limited number of file names,
> > including .rar. I realized that I could upload the file
> > test.php.rar, as demonstrated here:
> > http://www.javaop.com/~iago/test.php.rar
> >
> > (I assure you that that's a .php script, not just that text file).
>
> Whoa, that's interesting. Testing on Apache 2.0.54 gets the same
result.
>
> $ echo "<?php echo 'test'; ?>">/path/to/htdocs/test.php.rar $ wget
> http://localhost/test.php.rar -O /tmp/test.txt $ cat
> /tmp/test.text;echo
>
> Prints "test". I hadn't heard about this. Thankfully, my webserver
> isn't susceptible to such attacks, let me show you why. In my
> httpd.conf file, I have:
>
> Alias /uploads/ "/var/www/htdocs/"
> Alias /uploads "/var/www/htdocs/"
>
> First, I'm not naming the real directory.... Second, if someone did
> find the upload directory, they would be redirected to the root of the
> server. They couldn't run the script on my server no matter how hard
> they tried.
>
> Thanks for the information.
>
> --
> Chris Umphress <http://daga.dyndns.org/>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/