On 12/4/05, Ron <[EMAIL PROTECTED]> wrote: > I'm not sure whether this is something that's well known, but I've never > seen anything about it, and I nearly got burned by it, so I figured I'd > post it here. > > In Apache 1.3.33 (untested on any other version), if you have a file > called file.php.bak, and you navigate to it in the browser, it will run > on the server as a .php file. This works with any extension that isn't > known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.) > > This can impact upload scripts, if they don't rename. I had a script > that was only allowing a very limited number of file names, including > .rar. I realized that I could upload the file test.php.rar, as > demonstrated here: > http://www.javaop.com/~iago/test.php.rar > > (I assure you that that's a .php script, not just that text file).
Whoa, that's interesting. Testing on Apache 2.0.54 gets the same result. $ echo "<?php echo 'test'; ?>">/path/to/htdocs/test.php.rar $ wget http://localhost/test.php.rar -O /tmp/test.txt $ cat /tmp/test.text;echo Prints "test". I hadn't heard about this. Thankfully, my webserver isn't susceptible to such attacks, let me show you why. In my httpd.conf file, I have: Alias /uploads/ "/var/www/htdocs/" Alias /uploads "/var/www/htdocs/" First, I'm not naming the real directory.... Second, if someone did find the upload directory, they would be redirected to the root of the server. They couldn't run the script on my server no matter how hard they tried. Thanks for the information. -- Chris Umphress <http://daga.dyndns.org/> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
