severity 674205 critical block 674089 674205 affects stop Hi.
Increasing severity to critical, because this is touched / very important ... with respect to recent changes in the mime-types package,... which basically break all use of PHP in Debian (in wheezy)... and will even lead to disclosure of all PHP source files served by webservers in the usual case. There is a bug dealing with the backgrounds at: #674089 I guess both, CGI and mod_php are affected by this but I haven't checked for the later, as it's security-wise... "problematic", which is why I never use it. The short story is, that the php mime-type was removed from mime-types. At least those Apache/PHP installations using CGI, will then loose the handler on these files, which makes them just served as plain text files. This breaks unrelated software (all those using php) and is a security problem. See the aforementioned bug for what I suggest to do now. Basically: 1) Add a NEWS item entry, that these mime types were removed from /etc/mime.types and what this could mean. Possibly linking to the above bug. 2) Add documentation for the end-users, how they should (safely) enable PHP. For CGI this would be the above (with a corrected mistake): ------------------------------------------------------- #Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”). RemoveType php <Files ?*.php> AddType application/x-php php </Files> ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5 Action application/x-php /cgi-bin/php5-cgi ------------------------------------------------------- plus the note, that one SHOULD limit AT LEAST the ScriptAlias and Actionto _only_ such <Directory> blocks, where php files to be interpreted reside. Above I used "application/x-php" no longer the "application/x-httpd-php". May I point out again that it's rather important to really re-do the: RemoveType php <Files ?*.php> AddType application/x-php php </Files> in Apache, even if we should add application/x-php php back to mime-types. This is because by only that, apache would also interpret files like: evil-virus.php.jpeg as PHP. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature