Summary: | apache and php can be fooled to execute files as php even without the filename ending with php | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Redeeman <redeeman> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | critical | CC: | hoffie |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Redeeman
2008-08-20 18:47:14 UTC
This was requested to be marked private on IRC. [ahf(i=ahf@exherbo/developer/ahf)] redeeman managed to forgot to mark bug 235309 as security classified only I'll open this bug to the public again, as it had been delivered to a lot of mailboxes anyway. This bug is not a vulnerability in Apache, but a design decision. Please see the following URL for a discussion of reasons and attack vectors: http://attrition.org/pipermail/vim/2008-May/001973.html Any user that is able to rename a file can have it executed in the server environment anyway. If applications allow file upload to a directory that allows execution of those files (and does not check the filename or content), that is a vulnerability in the web application. See, for instance: CVE-2007-6479, CVE-2007-5733, CVE-2007-4817, CVE-2007-4182, CVE-2007-3429, CVE-2007-2742, CVE-2007-2025, CVE-2007-1604, CVE-2007-1235, CVE-2007-1139, CVE-2007-0871, CVE-2006-7109, CVE-2006-4859 If you find any way to exploit this to cross trust boundaries in a default Gentoo environment or in any of our web applications, please open a new (restricted) bug. I asked rbu to open it again, especially since I've been aware of this issue for ages (even non-Gentoo related) and many users have seen this bug anyway. Webapps should never trust user-supplied filenames (but generate their own ones), and with that pre-condition this issue should never be exploitable. This is not a new bug, Apache is not going to fix it anyway, so... any vulnerable software should be fixed to not use user-supplied filenames, as rbu said. :) |