Hi!
In context of https://bugs.gentoo.org/show_bug.cgi?id=538822 mjo and agreed that a portage news item would be a good idea. Please review my proposal below. Thank you! Best, Sebastian =========================================================== Title: Apache AddHandler vulnerability protection Author: Sebastian Pipping <sp...@gentoo.org> Content-Type: text/plain Posted: 2015-03-26 Revision: 1 News-Item-Format: 1.0 Display-If-Installed: www-servers/apache Apache's directive AddHandler [1] can be used to map certain file name extensions (e.g. .php) to a handler (e.g. application/x-httpd-php). While a line like AddHandler application/x-httpd-php .php .php5 .phtml matches index.php, it also matches index.php.png. Apache's notes on multiple file extensions [2] document a multi-language website as a context where that behavior may be helpful. Unfortunately, it can be a security threat. Combined with (not just PHP) applications that support file upload, the AddHandler directive can get you into remote code execution situations. That is why app-admin/eselect-php now avoids AddHandler and is shipping <FilesMatch "\.(php|php5|phtml)$"> SetHandler application/x-httpd-php </FilesMatch> instead. Why this news entry? * Since Apache configuration lives below /etc, you need to run etc-update (or a substitute) to actually have related fixes applied. * You may be using AddHandler at other places, including off-package files. Please have a look. * app-admin/eselect-php is not the only package affected. There is a dedicated tracker bug at [3]. As of the momment, affected packages include: app-admin/eselect-php[apache2] dev-lang/php[apache2] net-nds/gosa-core www-apache/mod_fastcgi www-apache/mod_flvx www-apache/mod_python www-apache/mod_suphp www-apps/moinmoin www-apps/rt[-lighttpd] [1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler [2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext [3] https://bugs.gentoo.org/show_bug.cgi?id=544560
