Re: [PHP] Apache's PHP handlers
On Sep 19, 2013, at 9:14 AM, Arno Kuhl a...@dotcontent.net wrote: Arno: If you can request that file using a web browser, and it gets executed as PHP on your server then there is an error in the Apache configuration. Easy test: create a file in a text editor containing some PHP (?php phpinfo(); ? would be enough) and upload it to the www root of your site and name it test.pgif. Then hit http://www.yourdomain.com/test.pgif in your browser. If you see the PHP code or an error then you're fine. If you see PHP's info page then you need to change web host as quickly as possible. I don't care if they fix it - the fact their server was configured to do this by default is enough for me to never trust them again. -Stuart -- Thanks Stuart. I just tried it now, test.php.pgif displayed the info while test.xyz.pgif returned the content, confirming the problem. My service provider finally conceded the problem is on their side and are looking for an urgent fix, much too complicated to consider moving service providers in the short term. As a side note, the sp said the issue is new and coincided with an upgrade to fastcgi recently, I wonder if the hacker was exploiting a known issue with that scenario? Cheers Arno GoDaddy's default plesk-generated configuration for FastCGI-served PHP files only looked to see if the file contained .php somewhere on it's path - i.e. it would happily execute 'malicilous.php.txt' as php code, even something ridiculous like 'malware.phpnoreallyiwantthistorun'. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache's PHP handlers
- Original Message - From: Arno Kuhl a...@dotcontent.net To: php-general@lists.php.net Sent: Thursday, September 19, 2013 1:35 PM Subject: [PHP] Apache's PHP handlers For the past week I've been trying to get to the bottom of an exploit, but googling hasn't been much help so far, nor has my service provider. Basically a file was uploaded with the filename xxx.php.pgif which contained nasty php code, and then the file was run directly from a browser. The upload script used to upload this file checks that the upload filename doesn't have a .php extension, which in this case it doesn't, so let it through. I was under the impression apache would serve any file with an extension not listed in its handlers directly back to the browser, but instead it sent it to the php handler. Is this normal behaviour or is there a problem with my service provider's apache configuration? Trying this on my localhost returns the file contents directly to the browser as expected and doesn't run the php code. Cheers Arno Arno, the php file hidden as a gif will indeed not execute if opened directly from your website. But if opened from a page hosted elsewhere with some code like require($path_to_your_image), the php code inside the image will be sent to the php handler and will be executed. Prevention is the best way to avoid hacking from image upload. Check the file extention and the file content before upload. Cheers. Steven -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache's PHP handlers
-Original Message- From: Ken Robinson [mailto:kenrb...@rbnsn.com] Sent: 19 September 2013 01:52 PM To: a...@dotcontent.net Cc: php-general@lists.php.net Subject: Re: [PHP] Apache's PHP handlers Check you .htaccess file. The hackers could have modified it to allow that type of file to be executed. I had some that modified my .htaccess file to go to a spam site when my site got a 404 error. That was nasty. Ken Sent from my iPad On Sep 19, 2013, at 7:35 AM, Arno Kuhl a...@dotcontent.net wrote: For the past week I've been trying to get to the bottom of an exploit, but googling hasn't been much help so far, nor has my service provider. Basically a file was uploaded with the filename xxx.php.pgif which contained nasty php code, and then the file was run directly from a browser. The upload script used to upload this file checks that the upload filename doesn't have a .php extension, which in this case it doesn't, so let it through. I was under the impression apache would serve any file with an extension not listed in its handlers directly back to the browser, but instead it sent it to the php handler. Is this normal behaviour or is there a problem with my service provider's apache configuration? Trying this on my localhost returns the file contents directly to the browser as expected and doesn't run the php code. Cheers Arno S Hi Ken, .htaccess wasn't modified, this file was just uploaded and run. So far all my service provider has told me is it was because the filename contained .php in the filename, even though it's not the extension, and that's the reason apache sent it to the php handler. I'm sure that can't be right, otherwise it would be open to all sorts of exploits. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache's PHP handlers
For the past week I've been trying to get to the bottom of an exploit, but googling hasn't been much help so far, nor has my service provider. Basically a file was uploaded with the filename xxx.php.pgif which contained nasty php code, and then the file was run directly from a browser. The upload script used to upload this file checks that the upload filename doesn't have a .php extension, which in this case it doesn't, so let it through. I was under the impression apache would serve any file with an extension not listed in its handlers directly back to the browser, but instead it sent it to the php handler. Is this normal behaviour or is there a problem with my service provider's apache configuration? Trying this on my localhost returns the file contents directly to the browser as expected and doesn't run the php code. -- Arno, the php file hidden as a gif will indeed not execute if opened directly from your website. But if opened from a page hosted elsewhere with some code like require($path_to_your_image), the php code inside the image will be sent to the php handler and will be executed. Prevention is the best way to avoid hacking from image upload. Check the file extention and the file content before upload. Cheers. Steven -- Hi Steven, I agree the best way to avoid this is for the file upload script to check the file contents and that's something I'll have to sort out, currently it just checks the extension. But it's still a concern that a file with any arbitrary extension can be processed as php script as long as it has the text .php in the filename. I'm not worried about including the file because that would require pre-existing malicious php code, I want to prevent that malicious php code from running in the first place. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache's PHP handlers
Hi Arno,
it has nothing to do with .php in the file name. What the hacker did, was
uploading a .gif file with some malicious php code included to your
webserver. Then he called the .gif file from his own website by using a php
script containing some code like
require_once('http://www.yoursite.com/images/yourimage.gif'). At that moment
the php code inside the .gif file has been executed.
Steven
- Original Message -
From: Arno Kuhl a...@dotcontent.net
To: 'Design in Motion Webdesign' i...@designinmotion.be;
php-general@lists.php.net
Sent: Thursday, September 19, 2013 2:43 PM
Subject: RE: [PHP] Apache's PHP handlers
For the past week I've been trying to get to the bottom of an exploit,
but
googling hasn't been much help so far, nor has my service provider.
Basically a file was uploaded with the filename xxx.php.pgif which
contained
nasty php code, and then the file was run directly from a browser. The
upload script used to upload this file checks that the upload filename
doesn't have a .php extension, which in this case it doesn't, so let it
through. I was under the impression apache would serve any file with an
extension not listed in its handlers directly back to the browser, but
instead it sent it to the php handler. Is this normal behaviour or is
there
a problem with my service provider's apache configuration? Trying this on
my localhost returns the file contents directly to the browser as
expected
and doesn't run the php code.
--
Arno,
the php file hidden as a gif will indeed not execute if opened directly
from
your website. But if opened from a page hosted elsewhere with some code
like
require($path_to_your_image), the php code inside the image will be sent
to
the php handler and will be executed.
Prevention is the best way to avoid hacking from image upload. Check the
file extention and the file content before upload.
Cheers.
Steven
--
Hi Steven, I agree the best way to avoid this is for the file upload
script
to check the file contents and that's something I'll have to sort out,
currently it just checks the extension. But it's still a concern that a
file
with any arbitrary extension can be processed as php script as long as it
has the text .php in the filename. I'm not worried about including the
file because that would require pre-existing malicious php code, I want to
prevent that malicious php code from running in the first place.
Cheers
Arno
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache's PHP handlers
On 19 Sep 2013, at 13:58, Design in Motion Webdesign i...@designinmotion.be
wrote:
it has nothing to do with .php in the file name. What the hacker did, was
uploading a .gif file with some malicious php code included to your
webserver. Then he called the .gif file from his own website by using a php
script containing some code like
require_once('http://www.yoursite.com/images/yourimage.gif'). At that moment
the php code inside the .gif file has been executed.
In possibly the most pointless way ever! In that scenario the script would be
executed on the hacker's server (assuming Apache is set up correctly), so
there's no point in her managing to put it on your server at all!
Arno: If you can request that file using a web browser, and it gets executed as
PHP on your server then there is an error in the Apache configuration.
Easy test: create a file in a text editor containing some PHP (?php phpinfo();
? would be enough) and upload it to the www root of your site and name it
test.pgif. Then hit http://www.yourdomain.com/test.pgif in your browser. If you
see the PHP code or an error then you're fine. If you see PHP's info page then
you need to change web host as quickly as possible. I don't care if they fix it
- the fact their server was configured to do this by default is enough for me
to never trust them again.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache's PHP handlers
The best way to handle file uploads is to:
1) Store the filename somewhere in the DB, rename the file to a random
string without extension and store the mapping in the DB as well.
2) When sending the file, set the header content to the filename and output
the content of the file via PHP (ex: by readfile).
Aziz
This way even if the file is PHP code, it will be of no issue to you.
On Thu, Sep 19, 2013 at 9:05 AM, Stuart Dallas stu...@3ft9.com wrote:
On 19 Sep 2013, at 13:58, Design in Motion Webdesign
i...@designinmotion.be wrote:
it has nothing to do with .php in the file name. What the hacker did,
was uploading a .gif file with some malicious php code included to your
webserver. Then he called the .gif file from his own website by using a php
script containing some code like require_once('
http://www.yoursite.com/images/yourimage.gif'). At that moment the php
code inside the .gif file has been executed.
In possibly the most pointless way ever! In that scenario the script would
be executed on the hacker's server (assuming Apache is set up correctly),
so there's no point in her managing to put it on your server at all!
Arno: If you can request that file using a web browser, and it gets
executed as PHP on your server then there is an error in the Apache
configuration.
Easy test: create a file in a text editor containing some PHP (?php
phpinfo(); ? would be enough) and upload it to the www root of your site
and name it test.pgif. Then hit http://www.yourdomain.com/test.pgif in
your browser. If you see the PHP code or an error then you're fine. If you
see PHP's info page then you need to change web host as quickly as
possible. I don't care if they fix it - the fact their server was
configured to do this by default is enough for me to never trust them again.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache's PHP handlers
On 19 Sep 2013, at 14:39, Aziz Saleh azizsa...@gmail.com wrote: The best way to handle file uploads is to: 1) Store the filename somewhere in the DB, rename the file to a random string without extension and store the mapping in the DB as well. 2) When sending the file, set the header content to the filename and output the content of the file via PHP (ex: by readfile). Aziz This way even if the file is PHP code, it will be of no issue to you. What you describe it highly inefficient, clunky, and unnecessary. You've managed to get PHP and a database involved in serving a static file, for no reason other than to avoid fixing the web server configuration. A misconfigured web server should be fixed, not worked around. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache's PHP handlers
On Thursday, September 19, 2013, Stuart Dallas wrote: On 19 Sep 2013, at 14:39, Aziz Saleh azizsa...@gmail.com javascript:; wrote: The best way to handle file uploads is to: 1) Store the filename somewhere in the DB, rename the file to a random string without extension and store the mapping in the DB as well. 2) When sending the file, set the header content to the filename and output the content of the file via PHP (ex: by readfile). Aziz This way even if the file is PHP code, it will be of no issue to you. What you describe it highly inefficient, clunky, and unnecessary. You've managed to get PHP and a database involved in serving a static file, for no reason other than to avoid fixing the web server configuration. A misconfigured web server should be fixed, not worked around. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php You can also run a strip_tags() call on the file upload to help prevent this Bastien -- Bastien Cat, the other other white meat
RE: [PHP] Apache's PHP handlers
Arno: If you can request that file using a web browser, and it gets executed as PHP on your server then there is an error in the Apache configuration. Easy test: create a file in a text editor containing some PHP (?php phpinfo(); ? would be enough) and upload it to the www root of your site and name it test.pgif. Then hit http://www.yourdomain.com/test.pgif in your browser. If you see the PHP code or an error then you're fine. If you see PHP's info page then you need to change web host as quickly as possible. I don't care if they fix it - the fact their server was configured to do this by default is enough for me to never trust them again. -Stuart -- Thanks Stuart. I just tried it now, test.php.pgif displayed the info while test.xyz.pgif returned the content, confirming the problem. My service provider finally conceded the problem is on their side and are looking for an urgent fix, much too complicated to consider moving service providers in the short term. As a side note, the sp said the issue is new and coincided with an upgrade to fastcgi recently, I wonder if the hacker was exploiting a known issue with that scenario? Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache's PHP handlers
On Thu, 2013-09-19 at 16:14 +0200, Arno Kuhl wrote: Arno: If you can request that file using a web browser, and it gets executed as PHP on your server then there is an error in the Apache configuration. Easy test: create a file in a text editor containing some PHP (?php phpinfo(); ? would be enough) and upload it to the www root of your site and name it test.pgif. Then hit http://www.yourdomain.com/test.pgif in your browser. If you see the PHP code or an error then you're fine. If you see PHP's info page then you need to change web host as quickly as possible. I don't care if they fix it - the fact their server was configured to do this by default is enough for me to never trust them again. -Stuart -- Thanks Stuart. I just tried it now, test.php.pgif displayed the info while test.xyz.pgif returned the content, confirming the problem. My service provider finally conceded the problem is on their side and are looking for an urgent fix, much too complicated to consider moving service providers in the short term. As a side note, the sp said the issue is new and coincided with an upgrade to fastcgi recently, I wonder if the hacker was exploiting a known issue with that scenario? Cheers Arno I think most importantly, validate your input! If you're expecting an image, check to make sure it's an image. Use the imagecopyresampled() function that's part of GD to create a duplicate of the exact same size to ensure that it's both an image and not containing a hidden payload (which has happened to JPEG images before) If it's a file of another type, use a different appropriate method to validate that. DOMDocument will deal with XML and HTML documents, you can use zip functions to inspect Office documents (the newer types at least), FPDF to handle PDF files, etc. By only checking the extension you're relying on user-supplied data, which by definition is tainted. Thanks, Ash http://www.ashleysheridan.co.uk
