lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Dec  5 05:25:30 2005
From: umphress at gmail.com (Chris Umphress)
Subject: Bug with .php extension?

On 12/4/05, Ron <iago@...hallalegends.com> wrote:
> I'm not sure whether this is something that's well known, but I've never
> seen anything about it, and I nearly got burned by it, so I figured I'd
> post it here.
>
> In Apache 1.3.33 (untested on any other version), if you have a file
> called file.php.bak, and you navigate to it in the browser, it will run
> on the server as a .php file.  This works with any extension that isn't
> known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.)
>
> This can impact upload scripts, if they don't rename.  I had a script
> that was only allowing a very limited number of file names, including
> .rar.  I realized that I could upload the file test.php.rar, as
> demonstrated here:
> http://www.javaop.com/~iago/test.php.rar
>
> (I assure you that that's a .php script, not just that text file).

Whoa, that's interesting. Testing on Apache 2.0.54 gets the same result.

$ echo "<?php echo 'test'; ?>">/path/to/htdocs/test.php.rar
$ wget http://localhost/test.php.rar -O /tmp/test.txt
$ cat /tmp/test.text;echo

Prints "test". I hadn't heard about this. Thankfully, my webserver
isn't susceptible to such attacks, let me show you why. In my
httpd.conf file, I have:

Alias /uploads/ "/var/www/htdocs/"
Alias /uploads "/var/www/htdocs/"

First, I'm not naming the real directory.... Second, if someone did
find the upload directory, they would be redirected to the root of the
server. They couldn't run the script on my server no matter how hard
they tried.

Thanks for the information.

--
Chris Umphress <http://daga.dyndns.org/>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ