[php-maint] Bug#674089: Bug#674089: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

Charles Plessy plessy at debian.org
Thu Aug 16 23:00:40 UTC 2012 

Le Thu, Aug 16, 2012 at 01:14:58AM +0200, Christoph Anton Mitterer a écrit :
> On Thu, 2012-08-16 at 00:24 +0200, Stefan Fritsch wrote:
> > > Stefan, can you please elaborate on what you mean with magic MIME
> > > types? (you're talking about MIME type discovery via libmagic or
> > > similar? That would be not what's suggested above!)
> > 
> > The mime types that are also handler names and cause mod_php to 
> > execute scripts, i.e. application/x-httpd-php and application/x-httpd-
> > php-source. Using these as mime types is dangerous because they may 
> > also cause things named like foo.php.bar to be executed.
> 
> Well the same is (IIRC) the case when you use handlers? No?
> 
> Anyway,... the configuration snippets I proposed in #674205 are _NOT_
> vulnerable to the issue you describe, even though using AddType.
> btw: I've emphasised this several times already,...

Dear all,

is the following summary accurate ?

 - In Squeeze, using default configurations, files with ".php" in their name
   such as "foo.php.jpeg" are executed as PHP scripts by the Apache web server.

 - To solve that problem, the media (MIME) type for PHP has been removed from
   /etc/mime.types (http://bugs.debian.org/589384).

 - This breaks the websites executing PHP scripts through php5-cgi, and
   a solution will be documented in the php5 package's NEWS file, and
   the same text will be proposed to the release notes (http://bugs.debian.org/674089,
   work in progress).

 - Unfortunately, the proposed solution exposes these websites to the original
   problem that caused the PHP media types to be removed from /etc/mime.types.


If the last point is true, I wonder how the other distributions are solving it,
given that in Fedora and Ubuntu, /etc/mime.types also does not contain the PHP
media types.  Can somebody investigate ?  I think that I do not understand the
problem well enough to be that person.


Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

More information about the pkg-php-maint mailing list