[php-maint] Bug#687418: Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Konstantin Khomoutov
flatworm at users.sourceforge.net
Mon Sep 17 18:11:40 UTC 2012
On Mon, 17 Sep 2012 18:53:50 +0200
Christoph Anton Mitterer <calestyo at scientia.net> wrote:
[...]
Sorry for skipping the rest -- will come back to it later.
> btw:
> This:
> FCGIWrapper /usr/bin/php-cgi .php
> may (I haven't checked) be vulnerable to the foo.php.jpeg issue.
Yes, seems vulnerable: I've created a foo.php.jpeg file containing
<?php
phpinfo();
?>
and tried to request in in the browser -- I got 500 and
[Mon Sep 17 22:00:40 2012] [warn] [client 192.168.2.100] (104)
Connection reset by peer: mod_fcgid: error reading data from FastCGI
server
[Mon Sep 17 22:00:40 2012] [error] [client 192.168.2.100]
Premature end of script headers: test.php.jpeg
in the logs.
With the
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler fcgid-script
FcgidWrapper /usr/bin/php-cgi
</FilesMatch>
snippet, all works sensibly: test.php.jpeg is sent as-is and is not
tried to be interpreted.
More information about the pkg-php-maint
mailing list