Tamara Temple am Montag, 23. September 2013 - 06:49: > > GoDaddy's default plesk-generated configuration for FastCGI-served PHP files only looked to see if the file contained ".php" somewhere on it's path - i.e. it would happily execute 'malicilous.php.txt' as php code, even something ridiculous like 'malware.phpnoreallyiwantthistorun'. >
Yes, looks stupid. But my service prodider wrote me this, I quote: ---QUOTE--- This is because Apache offers features like language negotiation based on extensions, too -- the final extension doesn't always just specify the handler; it can specify other things. Apache can automatically pick a German-language script from these, for example: file.php.de file.php.en Whether this is a good idea or not is debatable. It's possible to set things up in a different way (using FilesMatch instead of AddHandler) to avoid this particular problem, but that breaks other things, so there's no perfect solution. More generally, the real problem is that scripts are looking at the final extension of uploaded files to decide whether they're safe or not, which is dangerous. They're simply assuming that a ".gif" file can't run a PHP interpreter, for example... which is usually true, but certainly not always: some people run all their files through PHP. ---END QUOTE--- The problem is the weak PHP upload mechanism! As workaround my service provider tries to block suspicious filenames, but the PHP developpers themself should work on this severe security problem. Niklaus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
