Wrong/insecure configuration of PHP module
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Debian) |
Fix Released
|
Unknown
|
|||
php5 (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: libapache2-mod-php5
The Apache directives inside /etc/apache2/
---
AddType application/
AddType application/
---
1. 'AddType' is an Apache directive to configure the mime-type of files for the CLIENT side. However PHP is executed at the SERVER side, hence 'AddHandler' or 'SetHandler' must be used instead.
2. In my experience users running Apache with mod_php expect that only files ending with .php, .phtml or .php3 will be processed by the PHP interpreter. However the 'AddType' directives above will enable PHP for all files CONTAINING .php, .phtml or .php3. For example also 'file.php.
Upstream has updated its documentation [2] some months ago to correct those problems and now states:
---
Tell Apache to parse certain extensions as PHP. For example, let's have Apache parse .php files as PHP. Instead of only using the Apache AddType directive, we want to avoid potentially dangerous uploads and created files such as exploit.php.jpg from being executed as PHP. Using this example, you could have any extension(s) parse as PHP by simply adding them. We'll add .phtml to demonstrate.
<FilesMatch \.php$>
SetHandler application/
</FilesMatch>
[...]
---
Please change /etc/apache2/
[1] http://
[2] http://
Changed in php5 (Debian): | |
status: | Unknown → Fix Released |
Thanks for the bug report.
Regards
chuck