On 26.03.2015 18:02, Michael Orlitzky wrote:
> The most important reason is missing =)
>
> If you are relying on the AddHandler behavior to execute
> secret_database_stuff.php.inc, then once the change is made, Apache will
> begin serving up your database credentials in plain text.
Good point.
Changes:
* Revision bump
* Add section on .php.inc
* Add thanks line
================================================================
Title: Apache AddHandler vulnerability protection
Author: Sebastian Pipping <sp...@gentoo.org>
Content-Type: text/plain
Posted: 2015-03-26
Revision: 2
News-Item-Format: 1.0
Display-If-Installed: www-servers/apache
Apache's directive AddHandler [1] can be used to map
certain file name extensions (e.g. .php) to a handler
(e.g. application/x-httpd-php). While a line like
AddHandler application/x-httpd-php .php .php5 .phtml
matches index.php, it also matches index.php.png.
Apache's notes on multiple file extensions [2] document
a multi-language website as a context where that behavior
may be helpful. Unfortunately, it can be a security threat.
Combined with (not just PHP) applications that support
file upload, the AddHandler directive can get you into
remote code execution situations.
That is why app-admin/eselect-php now avoids AddHandler
and is shipping
<FilesMatch "\.(php|php5|phtml)$">
SetHandler application/x-httpd-php
</FilesMatch>
instead.
Why this news entry?
* Since Apache configuration lives below /etc,
you need to run etc-update (or a substitute)
to actually have related fixes applied.
* If you are currently relying on AddHandler to execute
secret_database_stuff.php.inc, moving away from AddHandler
could result in serving your database credentials in plain
text. A command like
find /var/www/ -name '*.php.*' \
-o -name '*.php5.*' \
-o -name '*.phtml.*'
may help discovering PHP files that would no longer be executed.
* You may be using AddHandler at other places,
including off-package files. Please have a look.
* app-admin/eselect-php is not the only package
affected. There is a dedicated tracker bug at [3].
As of the momment, affected packages include:
app-admin/eselect-php[apache2]
dev-lang/php[apache2]
net-nds/gosa-core
www-apache/mod_fastcgi
www-apache/mod_flvx
www-apache/mod_python
www-apache/mod_suphp
www-apps/moinmoin
www-apps/rt[-lighttpd]
Thanks to Nico Suhl and Michael Orlitzky.
[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
[3] https://bugs.gentoo.org/show_bug.cgi?id=544560
