[gentoo-user] apache2 AddHandler/SetHandler vulnerability

[gentoo-user] apache2 AddHandler/SetHandler vulnerability

[Grant]

I read about this vulnerability in the
2015-04-06-apache-addhandler-addtype Gentoo news item.  I don't think
I'm using any functionality that could expose me to the problem but
I'd like to be able to say so for sure.  Does the fact that I'm
up-to-date with GLSAs, I don't have PHP5 in APACHE2_OPTS (I use
php-fpm), along with the following (which I think is default) indicate
that I'm not vulnerable?

# grep AddHandler -R /etc/apache2
/etc/apache2/modules.d/70_mod_php5.conf: AddHandler
application/x-httpd-php .php .php5 .phtml
/etc/apache2/modules.d/70_mod_php5.conf: AddHandler
application/x-httpd-php-source .phps
/etc/apache2/modules.d/00_mod_mime.conf:# AddHandler allows you to map
certain file extensions to "handlers":
/etc/apache2/modules.d/00_mod_mime.conf:#AddHandler cgi-script .cgi
/etc/apache2/modules.d/00_mod_mime.conf:#AddHandler type-map var
/etc/apache2/modules.d/00_error_documents.conf: AddHandler type-map var

# grep AddType -R /etc/apache2
/etc/apache2/modules.d/40_mod_ssl.conf: AddType application/x-x509-ca-cert .crt
/etc/apache2/modules.d/40_mod_ssl.conf: AddType application/x-pkcs7-crl    .crl
/etc/apache2/modules.d/00_mod_mime.conf:# AddType allows you to add to
or override the MIME configuration
/etc/apache2/modules.d/00_mod_mime.conf:#AddType application/x-gzip .tgz
/etc/apache2/modules.d/00_mod_mime.conf:AddType application/x-compress .Z
/etc/apache2/modules.d/00_mod_mime.conf:AddType application/x-gzip .gz .tgz
/etc/apache2/modules.d/00_mod_mime.conf:#AddType text/html .shtml

- Grant

Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability

[Michael Orlitzky]

On 04/25/2015 05:23 PM, Grant wrote:
> I read about this vulnerability in the
> 2015-04-06-apache-addhandler-addtype Gentoo news item.  I don't think
> I'm using any functionality that could expose me to the problem but
> I'd like to be able to say so for sure.  Does the fact that I'm
> up-to-date with GLSAs, I don't have PHP5 in APACHE2_OPTS (I use
> php-fpm), along with the following (which I think is default) indicate
> that I'm not vulnerable?

(1) Do you allow untrusted people to upload files to your server?

(2) If so, do you try to prevent them from uploading PHP files
    based on a regular expression or shell glob?

Unless you answer "yes" to both of those questions, you don't need to
check anything.

The vulnerability is that with,

  AddHandler application/x-httpd-php .php

Apache will go ahead and try to execute (for example) foo.php.html. If
you're blocking uploads of *.php to prevent people from uploading PHP
scripts, then I could name my file foo.php.html and bypass your restriction.

The AddHandler behavior was documented, but incredibly unexpected -- and
we had it in the default configuration. The new config we ship uses,

  <FilesMatch "\.php$">
    SetHandler application/x-httpd-php
  </FilesMatch>

instead so only *.php files get executed.

Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1889 bytes --]

On Sunday 26 Apr 2015 01:51:37 Michael Orlitzky wrote:
> On 04/25/2015 05:23 PM, Grant wrote:
> > I read about this vulnerability in the
> > 2015-04-06-apache-addhandler-addtype Gentoo news item.  I don't think
> > I'm using any functionality that could expose me to the problem but
> > I'd like to be able to say so for sure.  Does the fact that I'm
> > up-to-date with GLSAs, I don't have PHP5 in APACHE2_OPTS (I use
> > php-fpm), along with the following (which I think is default) indicate
> > that I'm not vulnerable?
> 
> (1) Do you allow untrusted people to upload files to your server?
> 
> (2) If so, do you try to prevent them from uploading PHP files
>     based on a regular expression or shell glob?
> 
> Unless you answer "yes" to both of those questions, you don't need to
> check anything.
> 
> The vulnerability is that with,
> 
>   AddHandler application/x-httpd-php .php
> 
> Apache will go ahead and try to execute (for example) foo.php.html. If
> you're blocking uploads of *.php to prevent people from uploading PHP
> scripts, then I could name my file foo.php.html and bypass your
> restriction.
> 
> The AddHandler behavior was documented, but incredibly unexpected -- and
> we had it in the default configuration. The new config we ship uses,
> 
>   <FilesMatch "\.php$">
>     SetHandler application/x-httpd-php
>   </FilesMatch>
> 
> instead so only *.php files get executed.

Hmm ... I am probably affected by this change too.  Running find for '*.php.*' 
et al, comes up with a tonne of files like this:

/var/www/My_Website_Name/htdocs/modules/simpletest/tests/upgrade/drupal-7.filled.minimal.database.php.gz

If I were to manually install protection, as suggested in the news item, where 
should I be doing this?  In (umpteen) .htaccess files for each vhost, or 
somewhere in /etc/apache2/*

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability

[Michael Orlitzky]

On 04/26/2015 04:04 AM, Mick wrote:
> 
> Hmm ... I am probably affected by this change too.  Running find for '*.php.*' 
> et al, comes up with a tonne of files like this:
> 
> /var/www/My_Website_Name/htdocs/modules/simpletest/tests/upgrade/drupal-7.filled.minimal.database.php.gz
> 
> If I were to manually install protection, as suggested in the news item, where 
> should I be doing this?  In (umpteen) .htaccess files for each vhost, or 
> somewhere in /etc/apache2/*
> 

That's only a problem if those php.gz files can be uploaded by an
untrusted user (and you want to stop them).

That's a Drupal site, right? If you allow anonymous users to create
accounts and upload files, then I could create an "mjo" account on your
site and upload exploit.php.html to sites/default/files/mjo. Then I
could visit,

  http://example.org/sites/default/files/mjo/exploit.php.html

and it would run the script with the permissions of your web server. So,
it could probably read the database password out of
sites/default/settings.php.

The half-assed way to prevent that is to block uploads of *.php files,
but the point of the vulnerability is that not only PHP files will be
executed. A better way is to disable the PHP engine entirely on any user
upload directories. There was actually a Drupal CVE for that:

  https://www.drupal.org/SA-CORE-2013-003

And yeah, you should do that on every user-upload directory for every
website you have. It sucks but you can use mod_macro if you have more
than one e.g. Drupal site. I've got this in our Drupal macro:

  <Directory "/var/www/$domain/$host/public/sites/*/files">
    # Deny access to user-uploaded PHP files.
    <Files "*.php">
      Require all denied
    </Files>
  </Directory>

But maybe it's safer to use,

  <Directory "/var/www/$domain/$host/public/sites/*/files">
    <Files "*">
      php_flag engine off
    </Files>
  </Directory>

Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2410 bytes --]

On Sunday 26 Apr 2015 18:14:32 Michael Orlitzky wrote:
> On 04/26/2015 04:04 AM, Mick wrote:
> > Hmm ... I am probably affected by this change too.  Running find for
> > '*.php.*' et al, comes up with a tonne of files like this:
> > 
> > /var/www/My_Website_Name/htdocs/modules/simpletest/tests/upgrade/drupal-7
> > .filled.minimal.database.php.gz
> > 
> > If I were to manually install protection, as suggested in the news item,
> > where should I be doing this?  In (umpteen) .htaccess files for each
> > vhost, or somewhere in /etc/apache2/*
> 
> That's only a problem if those php.gz files can be uploaded by an
> untrusted user (and you want to stop them).
> 
> That's a Drupal site, right? If you allow anonymous users to create
> accounts and upload files, then I could create an "mjo" account on your
> site and upload exploit.php.html to sites/default/files/mjo. Then I
> could visit,
> 
>   http://example.org/sites/default/files/mjo/exploit.php.html
> 
> and it would run the script with the permissions of your web server. So,
> it could probably read the database password out of
> sites/default/settings.php.
> 
> The half-assed way to prevent that is to block uploads of *.php files,
> but the point of the vulnerability is that not only PHP files will be
> executed. A better way is to disable the PHP engine entirely on any user
> upload directories. There was actually a Drupal CVE for that:
> 
>   https://www.drupal.org/SA-CORE-2013-003
> 
> And yeah, you should do that on every user-upload directory for every
> website you have. It sucks but you can use mod_macro if you have more
> than one e.g. Drupal site. I've got this in our Drupal macro:
> 
>   <Directory "/var/www/$domain/$host/public/sites/*/files">
>     # Deny access to user-uploaded PHP files.
>     <Files "*.php">
>       Require all denied
>     </Files>
>   </Directory>
> 
> But maybe it's safer to use,
> 
>   <Directory "/var/www/$domain/$host/public/sites/*/files">
>     <Files "*">
>       php_flag engine off
>     </Files>
>   </Directory>

Ah!  Yes, I have these directives in the drupal 6 & 7 sites .htaccess files, 
as per the advisory you mention.

Thank you for your explanation.

When you say macro, is this something the webapp -U will apply, or is this 
some of your own brew of scripts and if so where do you apply it?
 
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability

[Michael Orlitzky]

On 04/26/2015 05:48 PM, Mick wrote:
> 
> When you say macro, is this something the webapp -U will apply, or is this 
> some of your own brew of scripts and if so where do you apply it?
>  

Either www-apache/mod_macro with apache-2.2, or the built-in version
with apache-2.4:

  http://httpd.apache.org/docs/current/mod/mod_macro.html

Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability

[Grant]

>> I read about this vulnerability in the
>> 2015-04-06-apache-addhandler-addtype Gentoo news item.  I don't think
>> I'm using any functionality that could expose me to the problem but
>> I'd like to be able to say so for sure.  Does the fact that I'm
>> up-to-date with GLSAs, I don't have PHP5 in APACHE2_OPTS (I use
>> php-fpm), along with the following (which I think is default) indicate
>> that I'm not vulnerable?
>
> (1) Do you allow untrusted people to upload files to your server?
>
> (2) If so, do you try to prevent them from uploading PHP files
>     based on a regular expression or shell glob?
>
> Unless you answer "yes" to both of those questions, you don't need to
> check anything.
>
> The vulnerability is that with,
>
>   AddHandler application/x-httpd-php .php
>
> Apache will go ahead and try to execute (for example) foo.php.html. If
> you're blocking uploads of *.php to prevent people from uploading PHP
> scripts, then I could name my file foo.php.html and bypass your restriction.
>
> The AddHandler behavior was documented, but incredibly unexpected -- and
> we had it in the default configuration. The new config we ship uses,
>
>   <FilesMatch "\.php$">
>     SetHandler application/x-httpd-php
>   </FilesMatch>
>
> instead so only *.php files get executed.


Thank you Michael.

- Grant