[gentoo-commits] proj/gentoo-news:master commit in: 2015/2015-04-06-apache-addhandler-addtype/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/gentoo-news:master commit in: 2015/2015-04-06-apache-addhandler-addtype/
@ 2015-04-05 23:09 Sebastian Pipping
  0 siblings, 0 replies; 2+ messages in thread
From: Sebastian Pipping @ 2015-04-05 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     48f5fc4cf0ab6ef4fbdcb7f3b86110cf54a8840b
Author:     Sebastian Pipping <sebastian <AT> pipping <DOT> org>
AuthorDate: Sun Apr  5 22:50:59 2015 +0000
Commit:     Sebastian Pipping <sping <AT> gentoo <DOT> org>
CommitDate: Sun Apr  5 23:08:51 2015 +0000
URL:        https://gitweb.gentoo.org/proj/gentoo-news.git/commit/?id=48f5fc4c

Add news item "Apache AddHandler/AddType vulnerability protection"

 .../2015-04-06-apache-addhandler-addtype.en.txt    | 96 ++++++++++++++++++++++
 ...2015-04-06-apache-addhandler-addtype.en.txt.asc |  7 ++
 2 files changed, 103 insertions(+)

diff --git a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt
new file mode 100644
index 0000000..d7d58af
--- /dev/null
+++ b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt
@@ -0,0 +1,96 @@
+Title: Apache AddHandler/AddType vulnerability protection
+Author: Sebastian Pipping <sping@gentoo.org>
+Content-Type: text/plain
+Posted: 2015-04-06
+Revision: 1
+News-Item-Format: 1.0
+Display-If-Installed: www-servers/apache
+
+Apache's directives AddHandler [1] and AddType [2] can be used
+to map certain file name extensions (e.g. .php) to a handler
+(e.g. application/x-httpd-php).  While a line like
+
+  AddHandler application/x-httpd-php .php .php5 .phtml
+     ^^^^^^^
+matches index.php, it also matches index.php.png.
+With
+
+  AddType application/x-httpd-php .php .php5 .phtml
+     ^^^^
+index.php.png is not executed, but index.php.disabled still is.
+
+
+Apache's notes on multiple file extensions [3] document
+a multi-language website as a context where that behavior
+may be helpful.  Unfortunately, it can be a security threat.
+
+Combined with (not just PHP) applications that support
+file upload, the AddHandler/AddType directive can get you into
+remote code execution situations.
+
+That is why >=app-eselect/eselect-php-0.7.1-r4 avoids AddHandler
+and is shipping
+
+  <FilesMatch "\.(php|php5|phtml)$">
+    SetHandler application/x-httpd-php
+  </FilesMatch>
+
+instead.
+
+
+Why this news entry?
+
+ * Since Apache configuration lives below /etc,
+   you need to run etc-update (or a substitute)
+   to actually have related fixes applied.
+
+ * If you are currently relying on AddHandler to execute
+   secret_database_stuff.php.inc, moving away from AddHandler
+   could result in serving your database credentials in plain
+   text.  A command like
+
+     find /var/www/ -name '*.php.*' \
+                 -o -name '*.php5.*' \
+                 -o -name '*.phtml.*'
+
+   may help discovering PHP files that would no longer be executed.
+
+   Shipping automatic protection for this scenario is not trivial,
+   but you could manually install protection based on this recipe:
+
+     <FilesMatch "\.(php|php5|phtml|phps)\.">
+       # a) Apache 2.2 / Apache 2.4 + mod_access_compat
+       #Order Deny,Allow
+       #Deny from all
+
+       # b) Apache 2.4 + mod_authz_core
+       #Require all denied
+
+       # c) Apache 2.x + mod_rewrite
+       #RewriteEngine on
+       #RewriteRule .* - [R=404,L]
+     </FilesMatch>
+
+ * You may be using AddHandler or AddType at other places,
+   including off-package files.  Please have a look.
+
+ * app-eselect/eselect-php is not the only package affected.
+   There is a dedicated tracker bug at [4].
+   As of the moment, affected packages include:
+
+     app-eselect/eselect-php[apache2]
+     net-nds/gosa-core
+     www-apache/mod_fastcgi
+     www-apache/mod_flvx
+     www-apache/mod_python
+     www-apache/mod_suphp
+     www-apps/moinmoin
+     www-apps/rt[-lighttpd]
+
+
+Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer.
+
+[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
+[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
+[3] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
+[4] https://bugs.gentoo.org/show_bug.cgi?id=544560

diff --git a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc
new file mode 100644
index 0000000..6009404
--- /dev/null
+++ b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEYEABECAAYFAlUhwHwACgkQsAvGakAaFgCENgCZAYxX6GOQsU+k50P2r1SWIRQp
+mmwAoKGcmcQVTM9uBTNp+s0cU2lByHPT
+=uDRW
+-----END PGP SIGNATURE-----


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [gentoo-commits] proj/gentoo-news:master commit in: 2015/2015-04-06-apache-addhandler-addtype/
@ 2015-04-06 12:53 Sebastian Pipping
  0 siblings, 0 replies; 2+ messages in thread
From: Sebastian Pipping @ 2015-04-06 12:53 UTC (permalink / raw
  To: gentoo-commits

commit:     a63ce98a6297bf371488c26c034dc22f6d8877b9
Author:     Sebastian Pipping <sebastian <AT> pipping <DOT> org>
AuthorDate: Mon Apr  6 12:51:19 2015 +0000
Commit:     Sebastian Pipping <sping <AT> gentoo <DOT> org>
CommitDate: Mon Apr  6 12:51:31 2015 +0000
URL:        https://gitweb.gentoo.org/proj/gentoo-news.git/commit/?id=a63ce98a

Improve news item "Apache AddHandler/AddType vulnerability protection"

 .../2015-04-06-apache-addhandler-addtype.en.txt              | 12 ++++++++----
 .../2015-04-06-apache-addhandler-addtype.en.txt.asc          |  6 +++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt
index d7d58af..f90d091 100644
--- a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt
+++ b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt
@@ -1,8 +1,8 @@
-Title: Apache AddHandler/AddType vulnerability protection
+Title: Apache AddHandler/AddType exploit protection
 Author: Sebastian Pipping <sping@gentoo.org>
 Content-Type: text/plain
 Posted: 2015-04-06
-Revision: 1
+Revision: 2
 News-Item-Format: 1.0
 Display-If-Installed: www-servers/apache
 
@@ -22,7 +22,7 @@ index.php.png is not executed, but index.php.disabled still is.
 
 Apache's notes on multiple file extensions [3] document
 a multi-language website as a context where that behavior
-may be helpful.  Unfortunately, it can be a security threat.
+may be helpful.  Unfortunately, it can also be a security threat.
 
 Combined with (not just PHP) applications that support
 file upload, the AddHandler/AddType directive can get you into
@@ -43,6 +43,10 @@ Why this news entry?
  * Since Apache configuration lives below /etc,
    you need to run etc-update (or a substitute)
    to actually have related fixes applied.
+   To get them into the running instance of Apache,
+   you need to make it reload its configuration, e.g.
+
+     sudo /etc/init.d/apache2 reload
 
  * If you are currently relying on AddHandler to execute
    secret_database_stuff.php.inc, moving away from AddHandler
@@ -71,7 +75,7 @@ Why this news entry?
        #RewriteRule .* - [R=404,L]
      </FilesMatch>
 
- * You may be using AddHandler or AddType at other places,
+ * You may be using AddHandler or AddType in other places,
    including off-package files.  Please have a look.
 
  * app-eselect/eselect-php is not the only package affected.

diff --git a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc
index 6009404..24ff156 100644
--- a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc
+++ b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc
@@ -1,7 +1,7 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
-iEYEABECAAYFAlUhwHwACgkQsAvGakAaFgCENgCZAYxX6GOQsU+k50P2r1SWIRQp
-mmwAoKGcmcQVTM9uBTNp+s0cU2lByHPT
-=uDRW
+iEYEABECAAYFAlUigTAACgkQsAvGakAaFgCjYgCgolN2sUZAffYDBcPQ5tQ/nJJH
+vOUAn2VaVIeKYOcmlQV8hct2IhL4ZfMC
+=/vsQ
 -----END PGP SIGNATURE-----


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-04-06 12:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-06 12:53 [gentoo-commits] proj/gentoo-news:master commit in: 2015/2015-04-06-apache-addhandler-addtype/ Sebastian Pipping
  -- strict thread matches above, loose matches on Subject: below --
2015-04-05 23:09 Sebastian Pipping

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox