Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235309 - apache and php can be fooled to execute files as php even without the filename ending with php
Summary: apache and php can be fooled to execute files as php even without the filenam...
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-20 18:47 UTC by Redeeman
Modified: 2008-08-20 22:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Redeeman 2008-08-20 18:47:14 UTC 
Wasnt sure if it was default config or vulnerability, but i tried looking over configs, and i dont see anything wrong. Configs on centos and debian are also vulnerable.

basically, create a php file, name it index.php.sdfsdf or something similar, and apache will run the php file..

this can sometimes also be used with image extensions, giving ability to exploit some sites with image uploads..

Reproducible: Always

Steps to Reproduce:
1. find htdocs dir
2. create some php file and name it test.php.sdfsdf
3. browse to the file in a browser, and watch the php being executed

Actual Results:  
php gets executed

Expected Results:  
php NOT get executed
Comment 1 solar (RETIRED) gentoo-dev 2008-08-20 18:54:00 UTC 
This was requested to be marked private on IRC.
[ahf(i=ahf@exherbo/developer/ahf)] redeeman managed to forgot to mark bug 235309 as security classified only
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-08-20 21:49:55 UTC 
I'll open this bug to the public again, as it had been delivered to a lot of mailboxes anyway.

This bug is not a vulnerability in Apache, but a design decision. Please see the following URL for a discussion of reasons and attack vectors:
  http://attrition.org/pipermail/vim/2008-May/001973.html

Any user that is able to rename a file can have it executed in the server environment anyway. If applications allow file upload to a directory that allows execution of those files (and does not check the filename or content), that is a vulnerability in the web application. See, for instance: CVE-2007-6479, CVE-2007-5733, CVE-2007-4817, CVE-2007-4182, CVE-2007-3429, CVE-2007-2742, CVE-2007-2025, CVE-2007-1604, CVE-2007-1235, CVE-2007-1139, CVE-2007-0871, CVE-2006-7109, CVE-2006-4859
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-20 21:51:43 UTC 
If you find any way to exploit this to cross trust boundaries in a default Gentoo environment or in any of our web applications, please open a new (restricted) bug.
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-20 22:00:47 UTC 
I asked rbu to open it again, especially since I've been aware of this issue for ages (even non-Gentoo related) and many users have seen this bug anyway.

Webapps should never trust user-supplied filenames (but generate their own ones), and with that pre-condition this issue should never be exploitable.

This is not a new bug, Apache is not going to fix it anyway, so... any vulnerable software should be fixed to not use user-supplied filenames, as rbu said. :)