lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4394CD0A.2090503@valhallalegends.com>
Date: Mon, 05 Dec 2005 17:28:10 -0600
From: Ron <iago@...hallalegends.com>
To: Simon Richter <Simon.Richter@...yros.de>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Bug with .php extension?


Simon Richter wrote:
 > I would think this is related to "Options MultiViews", where a file
 > generally has many suffixes (file type, language, compression, ...).
 > Does this also happen to you (yes, I'm too lazy to try right now) if you
 > turn MultiViews off?
 >
 > Nevertheless, good idea that script authors should possibly be aware
 > that any suffix, not just the last, is interpreted.
 >
 >    Simon

Thanks for the response,

That was a good idea, I hadn't thought of it; however, I turned off 
MultiViews, and it still behaves the same way.

I also tried adding more extensions, just out of curiosity.  The 
following files also run as .php files:
   http://www.javaop.com/~iago/test.php.cpp.java
   http://www.javaop.com/~iago/test.php.a.a.a.a.b.b.b.b.c.d.e.f

Interestingly, these files are NOT affected, and don't parse the .php:
   http://www.javaop.com/~iago/test.php.jpeg.bmp.rar
   http://www.javaop.com/~iago/test.php.jpeg.rar

The first of those two behaves as a .bmp, and the second one behaves as 
a .jpeg.

It seems that it uses the last recognized extension when parsing files, 
ignoring everything after it.

Any other ideas?  At this point, I'm unsure whether to call it a bug or 
a feature, and whether to alert Apache about it.  Unless somebody posts 
soon, I'll send a bug report to Apache.

Ron

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ