[php-maint] Bug#797686: libapache2-mod-php5: Defaultly Execute "phtml" As "php" For Many Linux Debians

Narendra Bhati narendra.infosec at gmail.com
Tue Sep 1 15:20:12 UTC 2015 

Package: libapache2-mod-php5
Version: 5.4.34-0+deb7u1
Severity: important

Dear Maintainer,
*** Please consider answering these questions, where appropriate ***

   * What led up to the situation

     Hello Debian Security Team.

Just observed a issue when one of my Arbitrary File Upload Vulnerability got fixed.

Here i am explaining you a scenario.

Many developers Prevent File Upload Vulnerability By Blocking "['php', 'php3', 'php4', 'inc']"   So most of developers do the same for their application to prevent this.
But the better solution is to include this extensions also "php5,pht,phtml"

Observation: now i had observe that most of Linux Debian are defaultly set to executing "phtml" as "php" which look dangerous because most of Developer only use "php,php3,php4,inc".
So if any developer miss the "phtml" to add in black list file upload and if the Linux Debian is set to Execute "phtml" as "php" by default then the whole server can be compromise by the attacker.

For POC i had test Latest Kali Linux 2.0 which allow user to execute "phtml" as "php" by default.

The default configuration for many debians leads to the problem. following component of Debian:

% dpkg-query -S /etc/apache2/mods-available/php5.conf
libapache2-mod-php5: /etc/apache2/mods-available/php5.conf

https://packages.debian.org/jessie/libapache2-mod-php5

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
I had create a backdoor like "backdoor.phtml" and try to execute with Apache which got successfully execute. By using this user can perform command exexecution

   * What was the outcome of this action?

Many developers Prevent File Upload Vulnerability By Blocking "['php', 'php3', 'php4', 'inc']"   So most of developers do the same for their application to prevent this.
But the better solution is to include this extensions also "php5,pht,phtml"
if the developer forgot to add these extentions also , and server is configured to execute "phtml" as "php" default then its can lead to server compromisation
   * What outcome did you expect instead?
The php extentions should be disabled by default just like "phtml" if its required then can enable it manually. so he will aware that "phtml" is also enabled on the web server
    All and all debians should come with all extra php extions disabled by default if some one needs the "phtml" then he can enable manually.


-- System Information:
Debian Release: Kali Linux 1.0.9
Architecture: i386 (i686)

Kernel: Linux 3.14-kali1-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-php5 depends on:
ii  apache2-mpm-prefork  2.2.22-13+deb7u3
ii  apache2.2-common     2.2.22-13+deb7u3
ii  libbz2-1.0           1.0.6-4
ii  libc6                2.13-38+deb7u6
ii  libcomerr2           1.42.5-1.1
ii  libdb5.1             5.1.29-5
ii  libgssapi-krb5-2     1.10.1+dfsg-5+deb7u2
ii  libk5crypto3         1.10.1+dfsg-5+deb7u2
ii  libkrb5-3            1.10.1+dfsg-5+deb7u2
ii  libmagic1            5.11-2+deb7u5
ii  libonig2             5.9.1-1
ii  libpcre3             1:8.30-5
ii  libqdbm14            1.8.78-2
ii  libssl1.0.0          1.0.1e-2+deb7u13
ii  libstdc++6           4.7.2-5
ii  libxml2              2.8.0+dfsg1-7+wheezy2
ii  mime-support         3.52-1
ii  php5-common          5.4.34-0+deb7u1
ii  tzdata               2014h-0wheezy1
ii  ucf                  3.0025+nmu3
ii  zlib1g               1:1.2.7.dfsg-13

Versions of packages libapache2-mod-php5 recommends:
ii  php5-cli  5.4.34-0+deb7u1

Versions of packages libapache2-mod-php5 suggests:
pn  php-pear  <none>

-- no debconf information

More information about the pkg-php-maint mailing list