[php-maint] Bug#691413: libapache2-mod-php5: php files without php extension executed by default
Pierre Colombier
pcdwarf at pcdwarf.net
Thu Oct 25 12:39:17 UTC 2012
Package: libapache2-mod-php5
Version: 5.3.3-7+squeeze14
Severity: normal
When you have a file with a name like
"file.php.something",
Apache considers it is a php file and executes it even if its name
does not end with .php or a php-related extension
If 'something' is a valid extension of another mimetype
like .jpeg it won't be executed.
This leads to some security issues with machines
where files can be uploaded. For exemple il somewone
can upload a file named nasty.php.hack on a web server
and then access it, he will gain acces to this server with the
same rights as apache.
Of course this can be prevented by checking the filenames
on upload but it is non obvious and the default behaviour
is sufficiently surprising not to be expected.
-- System Information:
Debian Release: 6.0.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-php5 depends on:
ii apache2-mpm-prefor 2.2.16-6+squeeze8 Apache HTTP Server - traditional n
ii apache2.2-common 2.2.16-6+squeeze8 Apache HTTP Server common files
ii libbz2-1.0 1.0.5-6+squeeze1 high-quality block-sorting file co
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-4stable1 common error description library
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries
ii libmagic1 5.04-5+squeeze2 File type determination library us
ii libonig2 5.9.1-1 Oniguruma regular expressions libr
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libqdbm14 1.8.77-4 QDBM Database Libraries [runtime]
ii libssl0.9.8 0.9.8o-4squeeze13 SSL shared libraries
ii libxml2 2.7.8.dfsg-2+squeeze5 GNOME XML library
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii php5-common 5.3.3-7+squeeze14 Common files for packages built fr
ii tzdata 2012g-0squeeze1 time zone and daylight-saving time
ii ucf 3.0025+nmu1 Update Configuration File: preserv
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages libapache2-mod-php5 recommends:
ii php5-cli 5.3.3-7+squeeze14 command-line interpreter for the p
Versions of packages libapache2-mod-php5 suggests:
ii php-pear 5.3.3-7+squeeze14 PEAR - PHP Extension and Applicati
-- no debconf information
More information about the pkg-php-maint
mailing list