reassign 691413 mime-support affects 691413 +php5 affects 589384 +php5 forcemerge 589384 691413 thank you
Hi, yes, it's a know problem and it has been fixed in wheezy. There's no immediate remedy in squeeze which doesn't include breaking existing installations. Ondrej On Thu, Oct 25, 2012 at 2:39 PM, Pierre Colombier <pcdw...@pcdwarf.net> wrote: > Package: libapache2-mod-php5 > Version: 5.3.3-7+squeeze14 > Severity: normal > > When you have a file with a name like > "file.php.something", > Apache considers it is a php file and executes it even if its name > does not end with .php or a php-related extension > If 'something' is a valid extension of another mimetype > like .jpeg it won't be executed. > > This leads to some security issues with machines > where files can be uploaded. For exemple il somewone > can upload a file named nasty.php.hack on a web server > and then access it, he will gain acces to this server with the > same rights as apache. > Of course this can be prevented by checking the filenames > on upload but it is non obvious and the default behaviour > is sufficiently surprising not to be expected. > > > > > > -- System Information: > Debian Release: 6.0.6 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) > Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages libapache2-mod-php5 depends on: > ii apache2-mpm-prefor 2.2.16-6+squeeze8 Apache HTTP Server - traditional > n > ii apache2.2-common 2.2.16-6+squeeze8 Apache HTTP Server common files > ii libbz2-1.0 1.0.5-6+squeeze1 high-quality block-sorting file > co > ii libc6 2.11.3-4 Embedded GNU C Library: Shared > lib > ii libcomerr2 1.41.12-4stable1 common error description library > ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries > [ > ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - > k > ii libk5crypto3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - > C > ii libkrb5-3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries > ii libmagic1 5.04-5+squeeze2 File type determination library > us > ii libonig2 5.9.1-1 Oniguruma regular expressions > libr > ii libpcre3 8.02-1.1 Perl 5 Compatible Regular > Expressi > ii libqdbm14 1.8.77-4 QDBM Database Libraries [runtime] > ii libssl0.9.8 0.9.8o-4squeeze13 SSL shared libraries > ii libxml2 2.7.8.dfsg-2+squeeze5 GNOME XML library > ii mime-support 3.48-1 MIME files 'mime.types' & > 'mailcap > ii php5-common 5.3.3-7+squeeze14 Common files for packages built > fr > ii tzdata 2012g-0squeeze1 time zone and daylight-saving > time > ii ucf 3.0025+nmu1 Update Configuration File: > preserv > ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime > > Versions of packages libapache2-mod-php5 recommends: > ii php5-cli 5.3.3-7+squeeze14 command-line interpreter for the > p > > Versions of packages libapache2-mod-php5 suggests: > ii php-pear 5.3.3-7+squeeze14 PEAR - PHP Extension and > Applicati > > -- no debconf information > > _______________________________________________ > pkg-php-maint mailing list > pkg-php-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint -- Ondřej Surý <ond...@sury.org> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org