[php-maint] Bug#691413: libapache2-mod-php5: php files without php extension executed by default

Pierre Colombier pcdwarf at pcdwarf.net
Thu Oct 25 12:39:17 UTC 2012 

Package: libapache2-mod-php5
Version: 5.3.3-7+squeeze14
Severity: normal

When you have a file with a name like
   "file.php.something",
Apache considers it is a php file and executes it even if its name
does not end with .php or a php-related extension
If 'something' is a valid extension of another mimetype
like .jpeg it won't be executed.

This leads to some security issues with machines
where files can be uploaded. For exemple il somewone
can upload a file named nasty.php.hack on a web server
and then access it, he will gain acces to this server with the
same rights as apache.
Of course this can be prevented by checking the filenames
on upload but it is non obvious and the default behaviour
is sufficiently surprising not to be expected.





-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-php5 depends on:
ii  apache2-mpm-prefor 2.2.16-6+squeeze8     Apache HTTP Server - traditional n
ii  apache2.2-common   2.2.16-6+squeeze8     Apache HTTP Server common files
ii  libbz2-1.0         1.0.5-6+squeeze1      high-quality block-sorting file co
ii  libc6              2.11.3-4              Embedded GNU C Library: Shared lib
ii  libcomerr2         1.41.12-4stable1      common error description library
ii  libdb4.8           4.8.30-2              Berkeley v4.8 Database Libraries [
ii  libgssapi-krb5-2   1.8.3+dfsg-4squeeze6  MIT Kerberos runtime libraries - k
ii  libk5crypto3       1.8.3+dfsg-4squeeze6  MIT Kerberos runtime libraries - C
ii  libkrb5-3          1.8.3+dfsg-4squeeze6  MIT Kerberos runtime libraries
ii  libmagic1          5.04-5+squeeze2       File type determination library us
ii  libonig2           5.9.1-1               Oniguruma regular expressions libr
ii  libpcre3           8.02-1.1              Perl 5 Compatible Regular Expressi
ii  libqdbm14          1.8.77-4              QDBM Database Libraries [runtime]
ii  libssl0.9.8        0.9.8o-4squeeze13     SSL shared libraries
ii  libxml2            2.7.8.dfsg-2+squeeze5 GNOME XML library
ii  mime-support       3.48-1                MIME files 'mime.types' & 'mailcap
ii  php5-common        5.3.3-7+squeeze14     Common files for packages built fr
ii  tzdata             2012g-0squeeze1       time zone and daylight-saving time
ii  ucf                3.0025+nmu1           Update Configuration File: preserv
ii  zlib1g             1:1.2.3.4.dfsg-3      compression library - runtime

Versions of packages libapache2-mod-php5 recommends:
ii  php5-cli               5.3.3-7+squeeze14 command-line interpreter for the p

Versions of packages libapache2-mod-php5 suggests:
ii  php-pear               5.3.3-7+squeeze14 PEAR - PHP Extension and Applicati

-- no debconf information

More information about the pkg-php-maint mailing list