Package: libapache2-mod-php5 Version: 5.3.3-7+squeeze14 Severity: normal When you have a file with a name like "file.php.something", Apache considers it is a php file and executes it even if its name does not end with .php or a php-related extension If 'something' is a valid extension of another mimetype like .jpeg it won't be executed.
This leads to some security issues with machines where files can be uploaded. For exemple il somewone can upload a file named nasty.php.hack on a web server and then access it, he will gain acces to this server with the same rights as apache. Of course this can be prevented by checking the filenames on upload but it is non obvious and the default behaviour is sufficiently surprising not to be expected. -- System Information: Debian Release: 6.0.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libapache2-mod-php5 depends on: ii apache2-mpm-prefor 2.2.16-6+squeeze8 Apache HTTP Server - traditional n ii apache2.2-common 2.2.16-6+squeeze8 Apache HTTP Server common files ii libbz2-1.0 1.0.5-6+squeeze1 high-quality block-sorting file co ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.12-4stable1 common error description library ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [ ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k ii libk5crypto3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - C ii libkrb5-3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries ii libmagic1 5.04-5+squeeze2 File type determination library us ii libonig2 5.9.1-1 Oniguruma regular expressions libr ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi ii libqdbm14 1.8.77-4 QDBM Database Libraries [runtime] ii libssl0.9.8 0.9.8o-4squeeze13 SSL shared libraries ii libxml2 2.7.8.dfsg-2+squeeze5 GNOME XML library ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap ii php5-common 5.3.3-7+squeeze14 Common files for packages built fr ii tzdata 2012g-0squeeze1 time zone and daylight-saving time ii ucf 3.0025+nmu1 Update Configuration File: preserv ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages libapache2-mod-php5 recommends: ii php5-cli 5.3.3-7+squeeze14 command-line interpreter for the p Versions of packages libapache2-mod-php5 suggests: ii php-pear 5.3.3-7+squeeze14 PEAR - PHP Extension and Applicati -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org