Rich Bowen wrote:
The folks at Drupal have apparently just discovered that
something.php.bar is executed as PHP, and, thus, checking to see if a
file ends with .php is not sufficient to ensure that their file upload
feature can't be exploited.
Their file upload feature can likely be perpetually exploited, but that's
neither here nor there...
In fact, they have a whitelist, and check to see the files end only with
stuff on the whitelist, so it's a little more robust than that, but
still fairly easy to get around.
The only valid manner of configuring such a server is to cripple all
multiviews and negotiation in the 'uploads directory' (preferably NOT
by removing behaviors additively, but by staging uploads outside of such
negotiated directories, e.g. /server/uploads alongside /server/htdocs).
The line endings are only the beginning of the long list of vulnerabilities
in this scenario. Adding '.txt' at the end of such names is an ineffectual
hack. If the directory is listable the site becomes XSS vulnerable. Even
if all else were equal, all handlers and filters would have to be defined
by content type, the mime.types as defined for the web space would have to
be used as the whitelist, and the filenames need to be parsed for all file
extentions segments. Why bother? Options None is probably their friend
for such purposes.
I've been asked to pass on a request for a configuration directive to
disable the support for multiple file extensions - that is, ensure that
only the final file extension is honored when determining how to handle
a file.
There are several.
1. disable mod_mime / mod_negotiation
2. disable Options Multiviews, and a host of other Options, in '/uploads'.
3. MultiviewsMatch to refine behavior if multiviews are enabled
4. SetHandler default-handler absolutely in the .htaccess or <Directory >
to override everything negotiated (won't cripple filters, only handlers.)
I'll veto yet-another-option, because more options imply more ways to get
it wrong.
I haven't thought though all the implications of such a directive, nor
do I know how feasible it is. But I've passed on the request.
Nak'ed :)
Bill
