[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1f29b8940512042125y53d843f2j4c09d3a26607bb02@mail.gmail.com>
Date: Sun, 4 Dec 2005 21:25:23 -0800
From: Chris Umphress <umphress@...il.com>
To: Ron <iago@...hallalegends.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Bug with .php extension?
On 12/4/05, Ron <iago@...hallalegends.com> wrote:
> I'm not sure whether this is something that's well known, but I've never
> seen anything about it, and I nearly got burned by it, so I figured I'd
> post it here.
>
> In Apache 1.3.33 (untested on any other version), if you have a file
> called file.php.bak, and you navigate to it in the browser, it will run
> on the server as a .php file. This works with any extension that isn't
> known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.)
>
> This can impact upload scripts, if they don't rename. I had a script
> that was only allowing a very limited number of file names, including
> .rar. I realized that I could upload the file test.php.rar, as
> demonstrated here:
> http://www.javaop.com/~iago/test.php.rar
>
> (I assure you that that's a .php script, not just that text file).
Whoa, that's interesting. Testing on Apache 2.0.54 gets the same result.
$ echo "<?php echo 'test'; ?>">/path/to/htdocs/test.php.rar
$ wget http://localhost/test.php.rar -O /tmp/test.txt
$ cat /tmp/test.text;echo
Prints "test". I hadn't heard about this. Thankfully, my webserver
isn't susceptible to such attacks, let me show you why. In my
httpd.conf file, I have:
Alias /uploads/ "/var/www/htdocs/"
Alias /uploads "/var/www/htdocs/"
First, I'm not naming the real directory.... Second, if someone did
find the upload directory, they would be redirected to the root of the
server. They couldn't run the script on my server no matter how hard
they tried.
Thanks for the information.
--
Chris Umphress <http://daga.dyndns.org/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists