Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

From: Grant <emailgrant@gmail.com>
To: Gentoo mailing list <gentoo-user@lists.gentoo.org>
Subject: Re: [gentoo-user] apache2 AddHandler/SetHandler vulnerability
Date: Sun, 26 Apr 2015 12:18:28 -0700	[thread overview]
Message-ID: <CAN0CFw3fSgAhn25Gy_rdNj5hJ7NRKL4GApx=MAqA0nYYpxduDA@mail.gmail.com> (raw)
In-Reply-To: <553C3699.4050705@gentoo.org>

>> I read about this vulnerability in the
>> 2015-04-06-apache-addhandler-addtype Gentoo news item.  I don't think
>> I'm using any functionality that could expose me to the problem but
>> I'd like to be able to say so for sure.  Does the fact that I'm
>> up-to-date with GLSAs, I don't have PHP5 in APACHE2_OPTS (I use
>> php-fpm), along with the following (which I think is default) indicate
>> that I'm not vulnerable?
>
> (1) Do you allow untrusted people to upload files to your server?
>
> (2) If so, do you try to prevent them from uploading PHP files
>     based on a regular expression or shell glob?
>
> Unless you answer "yes" to both of those questions, you don't need to
> check anything.
>
> The vulnerability is that with,
>
>   AddHandler application/x-httpd-php .php
>
> Apache will go ahead and try to execute (for example) foo.php.html. If
> you're blocking uploads of *.php to prevent people from uploading PHP
> scripts, then I could name my file foo.php.html and bypass your restriction.
>
> The AddHandler behavior was documented, but incredibly unexpected -- and
> we had it in the default configuration. The new config we ship uses,
>
>   <FilesMatch "\.php$">
>     SetHandler application/x-httpd-php
>   </FilesMatch>
>
> instead so only *.php files get executed.


Thank you Michael.

- Grant

     prev parent reply	other threads:[~2015-04-26 19:18 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-25 21:23 [gentoo-user] apache2 AddHandler/SetHandler vulnerability Grant
2015-04-26  0:51 ` Michael Orlitzky
2015-04-26  8:04   ` Mick
2015-04-26 17:14     ` Michael Orlitzky
2015-04-26 21:48       ` Mick
2015-04-26 22:04         ` Michael Orlitzky
2015-04-26 19:18   ` Grant [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAN0CFw3fSgAhn25Gy_rdNj5hJ7NRKL4GApx=MAqA0nYYpxduDA@mail.gmail.com' \
    --to=emailgrant@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox