[php-maint] Bug#674089: Bug#674089: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
Charles Plessy
plessy at debian.org
Thu Aug 16 23:00:40 UTC 2012
Le Thu, Aug 16, 2012 at 01:14:58AM +0200, Christoph Anton Mitterer a écrit :
> On Thu, 2012-08-16 at 00:24 +0200, Stefan Fritsch wrote:
> > > Stefan, can you please elaborate on what you mean with magic MIME
> > > types? (you're talking about MIME type discovery via libmagic or
> > > similar? That would be not what's suggested above!)
> >
> > The mime types that are also handler names and cause mod_php to
> > execute scripts, i.e. application/x-httpd-php and application/x-httpd-
> > php-source. Using these as mime types is dangerous because they may
> > also cause things named like foo.php.bar to be executed.
>
> Well the same is (IIRC) the case when you use handlers? No?
>
> Anyway,... the configuration snippets I proposed in #674205 are _NOT_
> vulnerable to the issue you describe, even though using AddType.
> btw: I've emphasised this several times already,...
Dear all,
is the following summary accurate ?
- In Squeeze, using default configurations, files with ".php" in their name
such as "foo.php.jpeg" are executed as PHP scripts by the Apache web server.
- To solve that problem, the media (MIME) type for PHP has been removed from
/etc/mime.types (http://bugs.debian.org/589384).
- This breaks the websites executing PHP scripts through php5-cgi, and
a solution will be documented in the php5 package's NEWS file, and
the same text will be proposed to the release notes (http://bugs.debian.org/674089,
work in progress).
- Unfortunately, the proposed solution exposes these websites to the original
problem that caused the PHP media types to be removed from /etc/mime.types.
If the last point is true, I wonder how the other distributions are solving it,
given that in Fedora and Ubuntu, /etc/mime.types also does not contain the PHP
media types. Can somebody investigate ? I think that I do not understand the
problem well enough to be that person.
Have a nice day,
--
Charles Plessy
Tsurumi, Kanagawa, Japan
More information about the pkg-php-maint
mailing list