[php-maint] Bug#674089: Bug#674089: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

Christoph Anton Mitterer calestyo at scientia.net
Thu Aug 16 23:55:18 UTC 2012 

On Fri, 2012-08-17 at 08:00 +0900, Charles Plessy wrote:
>  - In Squeeze, using default configurations, files with ".php" in their name
>    such as "foo.php.jpeg" are executed as PHP scripts by the Apache web server.
Looking at mod-php5 5.3.3-7+squeeze14:
not vulnerable, but not optimised either

PHP5 with CGI _is_ vulnerable, when (only) the configuration as
described in php5-common's README.Debian was followed.
The latter doesn't defined it's own mime-type or handler for .php files,
therefore the ones from mime-types are (likely) to be used, therefore
vulnerable to the foo.php.jpeg issue.


>  - To solve that problem, the media (MIME) type for PHP has been removed from
>    /etc/mime.types (http://bugs.debian.org/589384).
Seems so (*). That bug btw. is just THE justification for my demand to
add a RemoveType ... if that would have been in place, the mime-types
entries wouldn't have caused the foo.php.jpeg security issue (with the
<FilesMatch "\.ph(p3?|tml)$">  or an optimised version of that).

But I guess another reason should have been, that these pseudo types
should have never been there.


>  - This breaks the websites executing PHP scripts through php5-cgi, and
>    a solution will be documented in the php5 package's NEWS file, and
>    the same text will be proposed to the release notes (http://bugs.debian.org/674089,
>    work in progress).
Guess so.


>  - Unfortunately, the proposed solution exposes these websites to the original
>    problem that caused the PHP media types to be removed from /etc/mime.types.
No (well partially). As I told just in the mail you replied to (*feeling
a bit annoyed*)... neither what Ondřej uses now (version 5.4.4-4) in the
mod_php package's php5.conf:
    <FilesMatch "\.ph(p3?|tml)$">
	SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
	SetHandler application/x-httpd-php-source
    </FilesMatch>

nor what he wrote in README.Debian for CGI:
       <FilesMatch \.php$>
         AddType application/x-php php
       </FilesMatch>


are vulnerable, to the actual problem. They are though vulnerable to
exactly what we talked above at (*), because Ondřej refuses to add the
one line RemoveType.


And the same is true for the optimised versions (for both mod_php and
CGI) of the above I proposed in #674205, but which I guess won't be
merged either.


> If the last point is true
The reasons for that being not true it the
<FilesMatch "\.php$"> or in my optimised versions <Files ?*.php>
sections, wrapping around the SetHandler or AddType.
They ensure, that the handler or MIME type is only set for files
matching these patterns.
And files like foo.php.jpeg won't. In the slower FilesMatch version the
"$" in the end of the pattern is crucial for this to work.


Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5450 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20120817/8626674d/attachment.bin>

More information about the pkg-php-maint mailing list