[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7b93ce2b0512050224yf5a70e8h40294841b723f216@mail.gmail.com>
Date: Mon Dec 5 10:24:59 2005
From: d.stanzani at gmail.com (Stanza)
Subject: Bug with .php extension?
I suppose this is a great bug. It work also on apache 2. If a user can
upload a file and it's extension isn't associated to a mime-type, the
server processes it as a php file..
Stanza
On 12/5/05, Chris Umphress <umphress@...il.com> wrote:
> On 12/4/05, Ron <iago@...hallalegends.com> wrote:
> > I'm not sure whether this is something that's well known, but I've never
> > seen anything about it, and I nearly got burned by it, so I figured I'd
> > post it here.
> >
> > In Apache 1.3.33 (untested on any other version), if you have a file
> > called file.php.bak, and you navigate to it in the browser, it will run
> > on the server as a .php file. This works with any extension that isn't
> > known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.)
> >
> > This can impact upload scripts, if they don't rename. I had a script
> > that was only allowing a very limited number of file names, including
> > .rar. I realized that I could upload the file test.php.rar, as
> > demonstrated here:
> > http://www.javaop.com/~iago/test.php.rar
> >
> > (I assure you that that's a .php script, not just that text file).
>
> Whoa, that's interesting. Testing on Apache 2.0.54 gets the same result.
>
> $ echo "<?php echo 'test'; ?>">/path/to/htdocs/test.php.rar
> $ wget http://localhost/test.php.rar -O /tmp/test.txt
> $ cat /tmp/test.text;echo
>
> Prints "test". I hadn't heard about this. Thankfully, my webserver
> isn't susceptible to such attacks, let me show you why. In my
> httpd.conf file, I have:
>
> Alias /uploads/ "/var/www/htdocs/"
> Alias /uploads "/var/www/htdocs/"
>
> First, I'm not naming the real directory.... Second, if someone did
> find the upload directory, they would be redirected to the root of the
> server. They couldn't run the script on my server no matter how hard
> they tried.
>
> Thanks for the information.
>
> --
> Chris Umphress <http://daga.dyndns.org/>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists