Hello,
By default, PHP plugin allows run any content via PHP interpreter.
This behaviour can be restricted by "php-allowed-ext" config directive.
Sadly, default config (no php-allowed-ext directive enforced) opens serious
security
hole in some environments: Remode Code Execution via user uploaded content.
Take example Apache config:
ProxyPassMatch "^.*\.php$" uwsgi://localhost:4000/
Despite strict extension matching in ProxyPassMatch, there is a problem:
If a non-privileged, authenticated user is able to upload i.e. his avatar
image to the site (valid .jpg with exif info), he can put PHP code into EXIF
and execute it simply by fetching:
http://site.url/uploads/myavatar.jpg/anystring.php
Such attacks are very widespread in community sites (forums, boards) etc.
Default config is not secure enough. uWSGI configuration is a "monster",
php-allowed-ext directive could be overlooked by beginners (and even more
security-concious users) and open security hole.
Default config should impose strict extension match (".php" only), and
by overridable by first use of "php-allowed-ext".
BTW, I did not check cgi-allowed-ext... could be the same problem?
Regards,
--
Piotr Gackiewicz
Intertele S.A. - operator systemów ITL.PL i DOMENY.ITL.PL
al. T. Rejtana 10, 35-310 Rzeszów
TEL: +48 17 8507580, FAX: +48 17 8520275
http://www.itl.pl - niezawodne usługi hostingowe
http://domeny.itl.pl - tanie domeny internetowe
http://www.intertele.pl_______________________________________________
uWSGI mailing list
uWSGI@lists.unbit.it
http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
