[php-maint] Bug#691413: Bug#691413: libapache2-mod-php5: php files without php extension executed by default

Ondřej Surý ondrej at debian.org
Thu Oct 25 13:53:50 UTC 2012


reassign 691413 mime-support
affects 691413 +php5
affects 589384 +php5
forcemerge 589384 691413
thank you

Hi,

yes, it's a know problem and it has been fixed in wheezy.  There's no
immediate remedy in squeeze which doesn't include breaking existing
installations.

Ondrej

On Thu, Oct 25, 2012 at 2:39 PM, Pierre Colombier <pcdwarf at pcdwarf.net> wrote:
> Package: libapache2-mod-php5
> Version: 5.3.3-7+squeeze14
> Severity: normal
>
> When you have a file with a name like
>    "file.php.something",
> Apache considers it is a php file and executes it even if its name
> does not end with .php or a php-related extension
> If 'something' is a valid extension of another mimetype
> like .jpeg it won't be executed.
>
> This leads to some security issues with machines
> where files can be uploaded. For exemple il somewone
> can upload a file named nasty.php.hack on a web server
> and then access it, he will gain acces to this server with the
> same rights as apache.
> Of course this can be prevented by checking the filenames
> on upload but it is non obvious and the default behaviour
> is sufficiently surprising not to be expected.
>
>
>
>
>
> -- System Information:
> Debian Release: 6.0.6
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
> Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages libapache2-mod-php5 depends on:
> ii  apache2-mpm-prefor 2.2.16-6+squeeze8     Apache HTTP Server - traditional n
> ii  apache2.2-common   2.2.16-6+squeeze8     Apache HTTP Server common files
> ii  libbz2-1.0         1.0.5-6+squeeze1      high-quality block-sorting file co
> ii  libc6              2.11.3-4              Embedded GNU C Library: Shared lib
> ii  libcomerr2         1.41.12-4stable1      common error description library
> ii  libdb4.8           4.8.30-2              Berkeley v4.8 Database Libraries [
> ii  libgssapi-krb5-2   1.8.3+dfsg-4squeeze6  MIT Kerberos runtime libraries - k
> ii  libk5crypto3       1.8.3+dfsg-4squeeze6  MIT Kerberos runtime libraries - C
> ii  libkrb5-3          1.8.3+dfsg-4squeeze6  MIT Kerberos runtime libraries
> ii  libmagic1          5.04-5+squeeze2       File type determination library us
> ii  libonig2           5.9.1-1               Oniguruma regular expressions libr
> ii  libpcre3           8.02-1.1              Perl 5 Compatible Regular Expressi
> ii  libqdbm14          1.8.77-4              QDBM Database Libraries [runtime]
> ii  libssl0.9.8        0.9.8o-4squeeze13     SSL shared libraries
> ii  libxml2            2.7.8.dfsg-2+squeeze5 GNOME XML library
> ii  mime-support       3.48-1                MIME files 'mime.types' & 'mailcap
> ii  php5-common        5.3.3-7+squeeze14     Common files for packages built fr
> ii  tzdata             2012g-0squeeze1       time zone and daylight-saving time
> ii  ucf                3.0025+nmu1           Update Configuration File: preserv
> ii  zlib1g             1:1.2.3.4.dfsg-3      compression library - runtime
>
> Versions of packages libapache2-mod-php5 recommends:
> ii  php5-cli               5.3.3-7+squeeze14 command-line interpreter for the p
>
> Versions of packages libapache2-mod-php5 suggests:
> ii  php-pear               5.3.3-7+squeeze14 PEAR - PHP Extension and Applicati
>
> -- no debconf information
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej at sury.org>



More information about the pkg-php-maint mailing list