Bug 537535 - using addhandler for php has serious security implications
Summary: using addhandler for php has serious security implications
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: php (Show other bugs)
(Show other bugs)
Version: 5.4
Hardware: All Linux
low
urgent
Target Milestone: rc
: ---
Assignee: Joe Orton
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-14 06:51 UTC by Joe Pruett
Modified: 2010-03-28 20:29 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-28 20:29:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Joe Pruett 2009-11-14 06:51:27 UTC
Description of problem:
using addhandler for php has very unexpected behavior that can lead to really bad security problems.  addhandler matches the extension anywhere in the filename, so foo.php.jpg will be run as php code.

Version-Release number of selected component (if applicable):
all in rhel5

How reproducible:
always

Steps to Reproduce:
1. create file foo.php.jpg with php code as contents and place in web accessible directory
2. visit appropriate url to access file
3. 
  
Actual results:
php code is run and html displayed

Expected results:
malformed image, php code displayed as text, something else, but not running it as php

Additional info:
this has major implications for web apps that allow uploads into web folders for things like images, pdf files, etc.  expecting that anything.jpg is safe.

see:
http://httpd.apache.org/docs/2.0/mod/mod_mime.html#multipleext
for info about multiple extensions.

a better way to activate php is:

<FilesMatch \.php$>
SetHandler php5-script
ForceType text/html
</FilesMatch>

Comment 1 Joe Orton 2010-03-28 20:29:14 UTC
If you have an area of your site which allows untrusted users to upload content and immediately makes that world-viewable, you likely have a security problem anyway.  You generally need to lock down such areas at least using ForceType, or simply by making them inaccessible and vetting them before moving them to be accessible.


Note You need to log in before you can comment on or make changes to this bug.