Wasnt sure if it was default config or vulnerability, but i tried looking over configs, and i dont see anything wrong. Configs on centos and debian are also vulnerable. basically, create a php file, name it index.php.sdfsdf or something similar, and apache will run the php file.. this can sometimes also be used with image extensions, giving ability to exploit some sites with image uploads.. Reproducible: Always Steps to Reproduce: 1. find htdocs dir 2. create some php file and name it test.php.sdfsdf 3. browse to the file in a browser, and watch the php being executed Actual Results: php gets executed Expected Results: php NOT get executed
This was requested to be marked private on IRC. [ahf(i=ahf@exherbo/developer/ahf)] redeeman managed to forgot to mark bug 235309 as security classified only
I'll open this bug to the public again, as it had been delivered to a lot of mailboxes anyway. This bug is not a vulnerability in Apache, but a design decision. Please see the following URL for a discussion of reasons and attack vectors: http://attrition.org/pipermail/vim/2008-May/001973.html Any user that is able to rename a file can have it executed in the server environment anyway. If applications allow file upload to a directory that allows execution of those files (and does not check the filename or content), that is a vulnerability in the web application. See, for instance: CVE-2007-6479, CVE-2007-5733, CVE-2007-4817, CVE-2007-4182, CVE-2007-3429, CVE-2007-2742, CVE-2007-2025, CVE-2007-1604, CVE-2007-1235, CVE-2007-1139, CVE-2007-0871, CVE-2006-7109, CVE-2006-4859
If you find any way to exploit this to cross trust boundaries in a default Gentoo environment or in any of our web applications, please open a new (restricted) bug.
I asked rbu to open it again, especially since I've been aware of this issue for ages (even non-Gentoo related) and many users have seen this bug anyway. Webapps should never trust user-supplied filenames (but generate their own ones), and with that pre-condition this issue should never be exploitable. This is not a new bug, Apache is not going to fix it anyway, so... any vulnerable software should be fixed to not use user-supplied filenames, as rbu said. :)