[gentoo-dev] Review: Apache AddHandler news item

[gentoo-dev] Review: Apache AddHandler news item

[Sebastian Pipping]

Hi!


In context of

  https://bugs.gentoo.org/show_bug.cgi?id=538822

mjo and agreed that a portage news item would be a good idea.
Please review my proposal below.  Thank you!

Best,



Sebastian


===========================================================
Title: Apache AddHandler vulnerability protection
Author: Sebastian Pipping <sping@gentoo.org>
Content-Type: text/plain
Posted: 2015-03-26
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: www-servers/apache

Apache's directive AddHandler [1] can be used to map
certain file name extensions (e.g. .php) to a handler
(e.g. application/x-httpd-php).  While a line like

  AddHandler application/x-httpd-php .php .php5 .phtml

matches index.php, it also matches index.php.png.

Apache's notes on multiple file extensions [2] document
a multi-language website as a context where that behavior
may be helpful.  Unfortunately, it can be a security threat.

Combined with (not just PHP) applications that support
file upload, the AddHandler directive can get you into
remote code execution situations.

That is why app-admin/eselect-php now avoids AddHandler
and is shipping

  <FilesMatch "\.(php|php5|phtml)$">
    SetHandler application/x-httpd-php
  </FilesMatch>

instead.


Why this news entry?

 * Since Apache configuration lives below /etc,
   you need to run etc-update (or a substitute)
   to actually have related fixes applied.

 * You may be using AddHandler at other places,
   including off-package files.  Please have a look.

 * app-admin/eselect-php is not the only package
   affected.  There is a dedicated tracker bug at [3].
   As of the momment, affected packages include:

     app-admin/eselect-php[apache2]
     dev-lang/php[apache2]
     net-nds/gosa-core
     www-apache/mod_fastcgi
     www-apache/mod_flvx
     www-apache/mod_python
     www-apache/mod_suphp
     www-apps/moinmoin
     www-apps/rt[-lighttpd]


[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
[3] https://bugs.gentoo.org/show_bug.cgi?id=544560

Re: [gentoo-dev] Review: Apache AddHandler news item

[Michael Orlitzky]

On 03/26/2015 12:56 PM, Sebastian Pipping wrote:
> 
> Why this news entry?
> 

The most important reason is missing =)

If you are relying on the AddHandler behavior to execute
secret_database_stuff.php.inc, then once the change is made, Apache will
begin serving up your database credentials in plain text.

Re: [gentoo-dev] Review: Apache AddHandler news item

[Sebastian Pipping]

On 26.03.2015 18:02, Michael Orlitzky wrote:
> The most important reason is missing =)
> 
> If you are relying on the AddHandler behavior to execute
> secret_database_stuff.php.inc, then once the change is made, Apache will
> begin serving up your database credentials in plain text.

Good point.


Changes:

 * Revision bump

 * Add section on .php.inc

 * Add thanks line


================================================================
Title: Apache AddHandler vulnerability protection
Author: Sebastian Pipping <sping@gentoo.org>
Content-Type: text/plain
Posted: 2015-03-26
Revision: 2
News-Item-Format: 1.0
Display-If-Installed: www-servers/apache

Apache's directive AddHandler [1] can be used to map
certain file name extensions (e.g. .php) to a handler
(e.g. application/x-httpd-php).  While a line like

  AddHandler application/x-httpd-php .php .php5 .phtml

matches index.php, it also matches index.php.png.

Apache's notes on multiple file extensions [2] document
a multi-language website as a context where that behavior
may be helpful.  Unfortunately, it can be a security threat.

Combined with (not just PHP) applications that support
file upload, the AddHandler directive can get you into
remote code execution situations.

That is why app-admin/eselect-php now avoids AddHandler
and is shipping

  <FilesMatch "\.(php|php5|phtml)$">
    SetHandler application/x-httpd-php
  </FilesMatch>

instead.


Why this news entry?

 * Since Apache configuration lives below /etc,
   you need to run etc-update (or a substitute)
   to actually have related fixes applied.

 * If you are currently relying on AddHandler to execute
   secret_database_stuff.php.inc, moving away from AddHandler
   could result in serving your database credentials in plain
   text.  A command like

     find /var/www/ -name '*.php.*' \
                 -o -name '*.php5.*' \
                 -o -name '*.phtml.*'

   may help discovering PHP files that would no longer be executed.

 * You may be using AddHandler at other places,
   including off-package files.  Please have a look.

 * app-admin/eselect-php is not the only package
   affected.  There is a dedicated tracker bug at [3].
   As of the momment, affected packages include:

     app-admin/eselect-php[apache2]
     dev-lang/php[apache2]
     net-nds/gosa-core
     www-apache/mod_fastcgi
     www-apache/mod_flvx
     www-apache/mod_python
     www-apache/mod_suphp
     www-apps/moinmoin
     www-apps/rt[-lighttpd]


Thanks to Nico Suhl and Michael Orlitzky.

[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
[3] https://bugs.gentoo.org/show_bug.cgi?id=544560

Re: [gentoo-dev] Review: Apache AddHandler news item

[Marc Schiffbauer]

[-- Attachment #1: Type: text/plain, Size: 219 bytes --]

* Sebastian Pipping schrieb am 26.03.15 um 19:15 Uhr:
>   As of the momment, affected packages include:
                 ^
Typo


-- 
0x35A64134 - 8AAC 5F46 83B4 DB70 8317
             3723 296C 6CCA 35A6 4134

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 173 bytes --]

Re: [gentoo-dev] Review: Apache AddHandler news item

[Sebastian Pipping]

On 26.03.2015 20:50, Marc Schiffbauer wrote:
> * Sebastian Pipping schrieb am 26.03.15 um 19:15 Uhr:
>> As of the momment, affected packages include:
> ^ Typo

Thanks.  Fixed in my local copy.  No need to re-paste, I believe.

Best,



Sebastian

[gentoo-dev] Re: Review: Apache AddHandler news item

[Duncan]

Sebastian Pipping posted on Thu, 26 Mar 2015 19:15:09 +0100 as excerpted:

> Changes:
> 
>  * Revision bump

This ^^..
 
>  * Add section on .php.inc
> 
>  * Add thanks line
> 
> 
> ================================================================
> Title: Apache AddHandler vulnerability protection
> Author: Sebastian Pipping <sping@gentoo.org>
> Content-Type: text/plain
> Posted: 2015-03-26
> Revision: 2

And this ^^..

> News-Item-Format: 1.0
> Display-If-Installed: www-servers/apache


This is a common error.  While not entirely intuitive, AFAIK revision is 
a post-publication value and should remain revision 1 unless a correction 
is needed once published.


Perhaps it is time to formally change that.  Reading software must be 
prepared to deal with first-seen values greater than 1 in any case, since 
a user might not have seen the original revision, and history has 
repeatedly demonstrated that people want to bump the revision number 
during initial discussion.  So why not simply let it be bumped, and let 
the first published version be what it may?  If necessary, further bumps 
can happen from there.

Tho in practice, very likely as a result of the pre-publishing approval 
process including discussion here, AFAIK no such post-publishing 
correcting revision has ever been necessary.  But that's not to say it 
won't /ever/ be necessary, so having the ability is certainly a good 
thing. =:^)


Either that or start out with a pre-publishing version of 0.1 and bump 
that, changing it to 1 on initial publish.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] Re: Review: Apache AddHandler news item

[Sebastian Pipping]

Hi!


I was wondering about the same thing, too.
I can commit it as revision 1 for a workaround.

If you have some time, please take this question/issue further with the
related software and people.

Thanks in advance,



Sebastian

Re: [gentoo-dev] Review: Apache AddHandler news item

[Sebastian Pipping]

Next round:

 * Recipe for handling "\.(php|php5|phtml|phps)\." manually added

 * AddType (with similar problems) mentioned, too

 * Typo "momment" fixed

(* Internel revision bump to 3, will be committed as revision 1)

(* Date bumped to today)

(* Links renumbered due to new link [2])


================================================================
Title: Apache AddHandler/AddType vulnerability protection
Author: Sebastian Pipping <sping@gentoo.org>
Content-Type: text/plain
Posted: 2015-03-30
Revision: 3
News-Item-Format: 1.0
Display-If-Installed: www-servers/apache

Apache's directives AddHandler [1] (and AddType [2]) can be used
to map certain file name extensions (e.g. .php) to a handler
(e.g. application/x-httpd-php).  While a line like

  AddHandler application/x-httpd-php .php .php5 .phtml

matches index.php, it also matches index.php.png.

Apache's notes on multiple file extensions [3] document
a multi-language website as a context where that behavior
may be helpful.  Unfortunately, it can be a security threat.

Combined with (not just PHP) applications that support
file upload, the AddHandler/AddType directive can get you into
remote code execution situations.

That is why app-admin/eselect-php now avoids AddHandler
and is shipping

  <FilesMatch "\.(php|php5|phtml)$">
    SetHandler application/x-httpd-php
  </FilesMatch>

instead.


Why this news entry?

 * Since Apache configuration lives below /etc,
   you need to run etc-update (or a substitute)
   to actually have related fixes applied.

 * If you are currently relying on AddHandler to execute
   secret_database_stuff.php.inc, moving away from AddHandler
   could result in serving your database credentials in plain
   text.  A command like

     find /var/www/ -name '*.php.*' \
                 -o -name '*.php5.*' \
                 -o -name '*.phtml.*'

   may help discovering PHP files that would no longer be executed.

   Shipping automatic protection for this scenario is not trivial,
   but you could manually install protection based on this recipe:

     <FilesMatch "\.(php|php5|phtml|phps)\.">
       # a) Apache 2.2 / Apache 2.4 + mod_access_compat
       #Order Deny,Allow
       #Deny from all

       # b) Apache 2.4 + mod_authz_core
       #Require all denied

       # c) Apache 2.x + mod_rewrite
       #RewriteEngine on
       #RewriteRule .* - [R=404,L]
     </FilesMatch>

 * You may be using AddHandler (or AddType) at other places,
   including off-package files.  Please have a look.

 * app-admin/eselect-php is not the only package
   affected.  There is a dedicated tracker bug at [4].
   As of the moment, affected packages include:

     app-admin/eselect-php[apache2]
     dev-lang/php[apache2]
     net-nds/gosa-core
     www-apache/mod_fastcgi
     www-apache/mod_flvx
     www-apache/mod_python
     www-apache/mod_suphp
     www-apps/moinmoin
     www-apps/rt[-lighttpd]


Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer.

[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
[3] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
[4] https://bugs.gentoo.org/show_bug.cgi?id=544560

Re: [gentoo-dev] Review: Apache AddHandler news item

[Sebastian Pipping]

Published a slightly improved version now:

https://gitweb.gentoo.org/proj/gentoo-news.git/tree/2015/2015-04-06-apache-addhandler-addtype

If there's anything wrong with it, please mail me directly (or put me in
CC) so there is zero chance of slipping through.  Thanks!

Best,



Sebastian

[gentoo-dev] Re: Review: Apache AddHandler news item

[Duncan]

Sebastian Pipping posted on Mon, 06 Apr 2015 01:29:19 +0200 as excerpted:

> Published a slightly improved version now:
> 
> https://gitweb.gentoo.org/proj/gentoo-news.git/tree/2015/2015-04-06-
apache-addhandler-addtype
> 
> If there's anything wrong with it, please mail me directly (or put me in
> CC) so there is zero chance of slipping through.  Thanks!

[also mailing sping@gentoo.org as requested]

$ echo "Apache AddHandler/AddType vulnerability protection" | wc -c
51

GLEP 42 says max title length 44 chars.  51-44=7 chars too long.

Off the top of my head, maybe just s/vulnerability/vuln/ ?  That'd cut 9 
chars for 42, leaving two to spare.  Anyone with a better idea?


That's the big one.  Here's a couple more minor English usage change 
suggestions as well. (Changes denoted in caps here, obviously lowercase 
them):

Line 25, add also:

may be helpful.  Unfortunately, it can ALSO be a security threat.

Line 74 s/at/in/: 

You may be using AddHandler or AddType IN other places,

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] Re: Review: Apache AddHandler news item

[Sebastian Pipping]

Hello Duncan,


On 06.04.2015 06:53, Duncan wrote:
> Sebastian Pipping posted on Mon, 06 Apr 2015 01:29:19 +0200 as excerpted:
> 
>> Published a slightly improved version now:
>>
>> https://gitweb.gentoo.org/proj/gentoo-news.git/tree/2015/2015-04-06-
> apache-addhandler-addtype
>>
>> If there's anything wrong with it, please mail me directly (or put me in
>> CC) so there is zero chance of slipping through.  Thanks!
> 
> [also mailing sping@gentoo.org as requested]

thanks!


> $ echo "Apache AddHandler/AddType vulnerability protection" | wc -c
> 51
> 
> GLEP 42 says max title length 44 chars.  51-44=7 chars too long.

Actually, echo prints a newline that is also counted.  So it's 50 and 6
characters too much but you still have a point :)


> Off the top of my head, maybe just s/vulnerability/vuln/ ?  That'd cut 9 
> chars for 42, leaving two to spare.  Anyone with a better idea?

I made it say "exploit" now:

  # echo -n 'Apache AddHandler/AddType exploit protection' | wc -c
  44

I hope that's "correct enough" in terms of security language.
The fix protections against exploits of the related vulnerability.


> That's the big one.  Here's a couple more minor English usage change 
> suggestions as well. (Changes denoted in caps here, obviously lowercase 
> them):
> 
> Line 25, add also:
> 
> may be helpful.  Unfortunately, it can ALSO be a security threat.

Fixed.


> Line 74 s/at/in/: 
> 
> You may be using AddHandler or AddType IN other places,

Fixed.


https://gitweb.gentoo.org/proj/gentoo-news.git/commit/?id=a63ce98a6297bf371488c26c034dc22f6d8877b9


Thanks for the review.

Best,



Sebastian

[gentoo-dev] Re: Review: Apache AddHandler news item

[Duncan]

Sebastian Pipping posted on Mon, 06 Apr 2015 14:56:30 +0200 as excerpted:

>> $ echo "Apache AddHandler/AddType vulnerability protection" | wc -c 51
>> 
>> GLEP 42 says max title length 44 chars.  51-44=7 chars too long.
> 
> Actually, echo prints a newline that is also counted [use echo -n].
> So it's 50 and 6 characters too much but you still have a point :)

That would explain the off-by-one I thought I noticed on the other active 
news thread of the moment.  Thank you. =:^)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman