[php-maint] Bug#691413: Bug#691413: libapache2-mod-php5: php files without php extension executed by default
Ondřej Surý
ondrej at debian.org
Thu Oct 25 13:53:50 UTC 2012
reassign 691413 mime-support
affects 691413 +php5
affects 589384 +php5
forcemerge 589384 691413
thank you
Hi,
yes, it's a know problem and it has been fixed in wheezy. There's no
immediate remedy in squeeze which doesn't include breaking existing
installations.
Ondrej
On Thu, Oct 25, 2012 at 2:39 PM, Pierre Colombier <pcdwarf at pcdwarf.net> wrote:
> Package: libapache2-mod-php5
> Version: 5.3.3-7+squeeze14
> Severity: normal
>
> When you have a file with a name like
> "file.php.something",
> Apache considers it is a php file and executes it even if its name
> does not end with .php or a php-related extension
> If 'something' is a valid extension of another mimetype
> like .jpeg it won't be executed.
>
> This leads to some security issues with machines
> where files can be uploaded. For exemple il somewone
> can upload a file named nasty.php.hack on a web server
> and then access it, he will gain acces to this server with the
> same rights as apache.
> Of course this can be prevented by checking the filenames
> on upload but it is non obvious and the default behaviour
> is sufficiently surprising not to be expected.
>
>
>
>
>
> -- System Information:
> Debian Release: 6.0.6
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
> Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages libapache2-mod-php5 depends on:
> ii apache2-mpm-prefor 2.2.16-6+squeeze8 Apache HTTP Server - traditional n
> ii apache2.2-common 2.2.16-6+squeeze8 Apache HTTP Server common files
> ii libbz2-1.0 1.0.5-6+squeeze1 high-quality block-sorting file co
> ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
> ii libcomerr2 1.41.12-4stable1 common error description library
> ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
> ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k
> ii libk5crypto3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - C
> ii libkrb5-3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries
> ii libmagic1 5.04-5+squeeze2 File type determination library us
> ii libonig2 5.9.1-1 Oniguruma regular expressions libr
> ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
> ii libqdbm14 1.8.77-4 QDBM Database Libraries [runtime]
> ii libssl0.9.8 0.9.8o-4squeeze13 SSL shared libraries
> ii libxml2 2.7.8.dfsg-2+squeeze5 GNOME XML library
> ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
> ii php5-common 5.3.3-7+squeeze14 Common files for packages built fr
> ii tzdata 2012g-0squeeze1 time zone and daylight-saving time
> ii ucf 3.0025+nmu1 Update Configuration File: preserv
> ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
>
> Versions of packages libapache2-mod-php5 recommends:
> ii php5-cli 5.3.3-7+squeeze14 command-line interpreter for the p
>
> Versions of packages libapache2-mod-php5 suggests:
> ii php-pear 5.3.3-7+squeeze14 PEAR - PHP Extension and Applicati
>
> -- no debconf information
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej at sury.org>
More information about the pkg-php-maint
mailing list