Public bug reported: Binary package hint: libapache2-mod-php5
The Apache directives inside /etc/apache2/mods-available/php5.conf are both wrong and insecure. The relevant lines are: --- AddType application/x-httpd-php .php .phtml .php3 AddType application/x-httpd-php-source .phps --- 1. 'AddType' is an Apache directive to configure the mime-type of files for the CLIENT side. However PHP is executed at the SERVER side, hence 'AddHandler' or 'SetHandler' must be used instead. 2. In my experience users running Apache with mod_php expect that only files ending with .php, .phtml or .php3 will be processed by the PHP interpreter. However the 'AddType' directives above will enable PHP for all files CONTAINING .php, .phtml or .php3. For example also 'file.php.something' will be executed on the server as long as it contains PHP code [1]. Upstream has updated its documentation [2] some months ago to correct those problems and now states: --- Tell Apache to parse certain extensions as PHP. For example, let's have Apache parse .php files as PHP. Instead of only using the Apache AddType directive, we want to avoid potentially dangerous uploads and created files such as exploit.php.jpg from being executed as PHP. Using this example, you could have any extension(s) parse as PHP by simply adding them. We'll add .phtml to demonstrate. <FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch> [...] --- Please change /etc/apache2/mods-available/php5.conf accordingly. As far as I know this bug exists in all versions of libapache2-mod-php5 and is therefore true for all Ubuntu versions. [1] http://httpd.apache.org/docs/2.2/en/mod/mod_mime.html#multipleext [2] http://www.php.net/manual/en/install.unix.apache2.php ** Affects: php5 (Ubuntu) Importance: Undecided Status: New -- Wrong/insecure configuration of PHP module https://bugs.launchpad.net/bugs/358703 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs