It doesn't seem to matter if the mime type is known or not, for example foo.php.txt and foo.php.html are both interpreted as PHP scripts on my test server. (Apache/2.0.54)
-----Original Message----- From: Stanza [mailto:[EMAIL PROTECTED] Sent: Monday, December 05, 2005 5:25 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Bug with .php extension? I suppose this is a great bug. It work also on apache 2. If a user can upload a file and it's extension isn't associated to a mime-type, the server processes it as a php file.. Stanza On 12/5/05, Chris Umphress <[EMAIL PROTECTED]> wrote: > On 12/4/05, Ron <[EMAIL PROTECTED]> wrote: > > I'm not sure whether this is something that's well known, but I've > > never seen anything about it, and I nearly got burned by it, so I > > figured I'd post it here. > > > > In Apache 1.3.33 (untested on any other version), if you have a file > > called file.php.bak, and you navigate to it in the browser, it will > > run on the server as a .php file. This works with any extension > > that isn't known to the server (.rar, .bak, .test, .java, .cpp, .c, > > etc.) > > > > This can impact upload scripts, if they don't rename. I had a > > script that was only allowing a very limited number of file names, > > including .rar. I realized that I could upload the file > > test.php.rar, as demonstrated here: > > http://www.javaop.com/~iago/test.php.rar > > > > (I assure you that that's a .php script, not just that text file). > > Whoa, that's interesting. Testing on Apache 2.0.54 gets the same result. > > $ echo "<?php echo 'test'; ?>">/path/to/htdocs/test.php.rar $ wget > http://localhost/test.php.rar -O /tmp/test.txt $ cat > /tmp/test.text;echo > > Prints "test". I hadn't heard about this. Thankfully, my webserver > isn't susceptible to such attacks, let me show you why. In my > httpd.conf file, I have: > > Alias /uploads/ "/var/www/htdocs/" > Alias /uploads "/var/www/htdocs/" > > First, I'm not naming the real directory.... Second, if someone did > find the upload directory, they would be redirected to the root of the > server. They couldn't run the script on my server no matter how hard > they tried. > > Thanks for the information. > > -- > Chris Umphress <http://daga.dyndns.org/> > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
