Bug 537535

Summary: using addhandler for php has serious security implications
Product: Red Hat Enterprise Linux 5 Reporter: Joe Pruett <joey>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: urgent Docs Contact:
Priority: low    
Version: 5.4   
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-28 20:29:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Pruett 2009-11-14 06:51:27 UTC 
Description of problem:
using addhandler for php has very unexpected behavior that can lead to really bad security problems.  addhandler matches the extension anywhere in the filename, so foo.php.jpg will be run as php code.

Version-Release number of selected component (if applicable):
all in rhel5

How reproducible:
always

Steps to Reproduce:
1. create file foo.php.jpg with php code as contents and place in web accessible directory
2. visit appropriate url to access file
3. 
  
Actual results:
php code is run and html displayed

Expected results:
malformed image, php code displayed as text, something else, but not running it as php

Additional info:
this has major implications for web apps that allow uploads into web folders for things like images, pdf files, etc.  expecting that anything.jpg is safe.

see:
http://httpd.apache.org/docs/2.0/mod/mod_mime.html#multipleext
for info about multiple extensions.

a better way to activate php is:

<FilesMatch \.php$>
SetHandler php5-script
ForceType text/html
</FilesMatch>
Comment 1 Joe Orton 2010-03-28 20:29:14 UTC 
If you have an area of your site which allows untrusted users to upload content and immediately makes that world-viewable, you likely have a security problem anyway.  You generally need to lock down such areas at least using ForceType, or simply by making them inaccessible and vetting them before moving them to be accessible.