Bug 537535 - using addhandler for php has serious security implications
Summary: using addhandler for php has serious security implications
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: php
Version: 5.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Joe Orton
QA Contact: BaseOS QE - Apps
Depends On:
TreeView+ depends on / blocked
Reported: 2009-11-14 06:51 UTC by Joe Pruett
Modified: 2010-03-28 20:29 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-03-28 20:29:14 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Joe Pruett 2009-11-14 06:51:27 UTC
Description of problem:
using addhandler for php has very unexpected behavior that can lead to really bad security problems.  addhandler matches the extension anywhere in the filename, so foo.php.jpg will be run as php code.

Version-Release number of selected component (if applicable):
all in rhel5

How reproducible:

Steps to Reproduce:
1. create file foo.php.jpg with php code as contents and place in web accessible directory
2. visit appropriate url to access file
Actual results:
php code is run and html displayed

Expected results:
malformed image, php code displayed as text, something else, but not running it as php

Additional info:
this has major implications for web apps that allow uploads into web folders for things like images, pdf files, etc.  expecting that anything.jpg is safe.

for info about multiple extensions.

a better way to activate php is:

<FilesMatch \.php$>
SetHandler php5-script
ForceType text/html

Comment 1 Joe Orton 2010-03-28 20:29:14 UTC
If you have an area of your site which allows untrusted users to upload content and immediately makes that world-viewable, you likely have a security problem anyway.  You generally need to lock down such areas at least using ForceType, or simply by making them inaccessible and vetting them before moving them to be accessible.

Note You need to log in before you can comment on or make changes to this bug.