From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-user+bounces-164014-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
by finch.gentoo.org (Postfix) with ESMTP id 796C4138C9D
for <garchives@archives.gentoo.org>; Sun, 26 Apr 2015 21:49:10 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 3B4ABE08E8;
Sun, 26 Apr 2015 21:49:02 +0000 (UTC)
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id DC8DCE08BD
for <gentoo-user@lists.gentoo.org>; Sun, 26 Apr 2015 21:49:00 +0000 (UTC)
Received: by widdi4 with SMTP id di4so78355370wid.0
for <gentoo-user@lists.gentoo.org>; Sun, 26 Apr 2015 14:48:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=from:reply-to:to:subject:date:user-agent:references:in-reply-to
:mime-version:content-type:content-transfer-encoding:message-id;
bh=6I1kyrwlu2dck3x662QX58+XyLbbQnoU6BbfgceX6IY=;
b=ZcG5EbwN51rDIg9V3YHXVKZgK1x6/EJ/3ospaJhGaGioSnWE8nvGObFfGcHSxDDXZ3
GcWLIL3Gidp+/ZIFxFftbiXDORLO1M3cQAYFZyrO9MOeUrN8LmIroIZhg3mgN0OoNscg
ixdvj13vqk/6bCdRQmr8ANsafjHLuHTuLsPw0DYc1JPdR/myQAKbpZejsDLAovvta940
drQfjX+Tu7iiyZBHCa5QJev92cswNioOdPbRGbiqsqBjNXKdUgzWV6WJ7db68NaTZjwB
q6UcFMZTkxG0msIqzo6HtqE/MLUiMKqOv5SG08FS7hQeK2HMt9gvZF5i6SRqrMVR7IMa
vL6Q==
X-Received: by 10.194.11.73 with SMTP id o9mr17094616wjb.116.1430084939668;
Sun, 26 Apr 2015 14:48:59 -0700 (PDT)
Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230])
by mx.google.com with ESMTPSA id em18sm2987930wjd.19.2015.04.26.14.48.58
for <gentoo-user@lists.gentoo.org>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sun, 26 Apr 2015 14:48:58 -0700 (PDT)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability
Date: Sun, 26 Apr 2015 22:48:41 +0100
User-Agent: KMail/1.13.7 (Linux/3.18.11-gentoo; KDE/4.14.3; x86_64; ; )
References: <CAN0CFw2GVGEzdyFqdHFcTN+BrqQHShfK5EFyv5q2nOiQNJGUKQ@mail.gmail.com> <201504260904.52284.michaelkintzios@gmail.com> <553D1CF8.1070007@gentoo.org>
In-Reply-To: <553D1CF8.1070007@gentoo.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
boundary="nextPart1448237.BADpD7i5lZ";
protocol="application/pgp-signature";
micalg=pgp-sha256
Content-Transfer-Encoding: 7bit
Message-Id: <201504262248.51228.michaelkintzios@gmail.com>
X-Archives-Salt: ecee1995-8da2-4738-8dcd-89f13471550b
X-Archives-Hash: d26ac064234c6add8aef136b2c800ee6
--nextPart1448237.BADpD7i5lZ
Content-Type: Text/Plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
On Sunday 26 Apr 2015 18:14:32 Michael Orlitzky wrote:
> On 04/26/2015 04:04 AM, Mick wrote:
> > Hmm ... I am probably affected by this change too. Running find for
> > '*.php.*' et al, comes up with a tonne of files like this:
> >=20
> > /var/www/My_Website_Name/htdocs/modules/simpletest/tests/upgrade/drupal=
=2D7
> > .filled.minimal.database.php.gz
> >=20
> > If I were to manually install protection, as suggested in the news item,
> > where should I be doing this? In (umpteen) .htaccess files for each
> > vhost, or somewhere in /etc/apache2/*
>=20
> That's only a problem if those php.gz files can be uploaded by an
> untrusted user (and you want to stop them).
>=20
> That's a Drupal site, right? If you allow anonymous users to create
> accounts and upload files, then I could create an "mjo" account on your
> site and upload exploit.php.html to sites/default/files/mjo. Then I
> could visit,
>=20
> http://example.org/sites/default/files/mjo/exploit.php.html
>=20
> and it would run the script with the permissions of your web server. So,
> it could probably read the database password out of
> sites/default/settings.php.
>=20
> The half-assed way to prevent that is to block uploads of *.php files,
> but the point of the vulnerability is that not only PHP files will be
> executed. A better way is to disable the PHP engine entirely on any user
> upload directories. There was actually a Drupal CVE for that:
>=20
> https://www.drupal.org/SA-CORE-2013-003
>=20
> And yeah, you should do that on every user-upload directory for every
> website you have. It sucks but you can use mod_macro if you have more
> than one e.g. Drupal site. I've got this in our Drupal macro:
>=20
> <Directory "/var/www/$domain/$host/public/sites/*/files">
> # Deny access to user-uploaded PHP files.
> <Files "*.php">
> Require all denied
> </Files>
> </Directory>
>=20
> But maybe it's safer to use,
>=20
> <Directory "/var/www/$domain/$host/public/sites/*/files">
> <Files "*">
> php_flag engine off
> </Files>
> </Directory>
Ah! Yes, I have these directives in the drupal 6 & 7 sites .htaccess files=
,=20
as per the advisory you mention.
Thank you for your explanation.
When you say macro, is this something the webapp -U will apply, or is this=
=20
some of your own brew of scripts and if so where do you apply it?
=20
=2D-=20
Regards,
Mick
--nextPart1448237.BADpD7i5lZ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAABCAAGBQJVPV1DAAoJELAdA+zwE4YexZgIAKsxriEmk4PSECLtj7cjIvHI
F0hPCgEzerRIjIUGTTlGWBdLj4siVjDUaK6LNv4iEkKxYfw/ikCkj/JiPXa6rxag
td7aJOxQA2BiNHQs98XzgMkiZnZdThlT+ducu+2tP73tHDVG2vad6JH4ekHutB5X
MdMx7qzNzNToFcMUs2hnqxRo4rAS2l+/g1b7QVaHTH+ohoEv7iPJbz2lF64sujYD
hr7QshNsTP7c5zyhBNEpZAtOP4eTCucuxxOEyeQR4d/VlNoYnP21E8aDv98L0dNW
H2ShIB62tEsXtLjf9RigV6KHLRjVUxca2aWLRAWC3Iul34gJKb0fhNAxqjmIhWw=
=NGl4
-----END PGP SIGNATURE-----
--nextPart1448237.BADpD7i5lZ--