Package: libapache2-mod-php5
Version: 5.4.34-0+deb7u1
Severity: important
Dear Maintainer,
*** Please consider answering these questions, where appropriate ***
* What led up to the situation
Hello Debian Security Team.
Just observed a issue when one of my Arbitrary File Upload Vulnerability got
fixed.
Here i am explaining you a scenario.
Many developers Prevent File Upload Vulnerability By Blocking "['php', 'php3',
'php4', 'inc']" So most of developers do the same for their application to
prevent this.
But the better solution is to include this extensions also "php5,pht,phtml"
Observation: now i had observe that most of Linux Debian are defaultly set to
executing "phtml" as "php" which look dangerous because most of Developer only
use "php,php3,php4,inc".
So if any developer miss the "phtml" to add in black list file upload and if
the Linux Debian is set to Execute "phtml" as "php" by default then the whole
server can be compromise by the attacker.
For POC i had test Latest Kali Linux 2.0 which allow user to execute "phtml" as
"php" by default.
The default configuration for many debians leads to the problem. following
component of Debian:
% dpkg-query -S /etc/apache2/mods-available/php5.conf
libapache2-mod-php5: /etc/apache2/mods-available/php5.conf
https://packages.debian.org/jessie/libapache2-mod-php5
* What exactly did you do (or not do) that was effective (or
ineffective)?
I had create a backdoor like "backdoor.phtml" and try to execute with Apache
which got successfully execute. By using this user can perform command
exexecution
* What was the outcome of this action?
Many developers Prevent File Upload Vulnerability By Blocking "['php', 'php3',
'php4', 'inc']" So most of developers do the same for their application to
prevent this.
But the better solution is to include this extensions also "php5,pht,phtml"
if the developer forgot to add these extentions also , and server is configured
to execute "phtml" as "php" default then its can lead to server compromisation
* What outcome did you expect instead?
The php extentions should be disabled by default just like "phtml" if its
required then can enable it manually. so he will aware that "phtml" is also
enabled on the web server
All and all debians should come with all extra php extions disabled by
default if some one needs the "phtml" then he can enable manually.
-- System Information:
Debian Release: Kali Linux 1.0.9
Architecture: i386 (i686)
Kernel: Linux 3.14-kali1-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-php5 depends on:
ii apache2-mpm-prefork 2.2.22-13+deb7u3
ii apache2.2-common 2.2.22-13+deb7u3
ii libbz2-1.0 1.0.6-4
ii libc6 2.13-38+deb7u6
ii libcomerr2 1.42.5-1.1
ii libdb5.1 5.1.29-5
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2
ii libk5crypto3 1.10.1+dfsg-5+deb7u2
ii libkrb5-3 1.10.1+dfsg-5+deb7u2
ii libmagic1 5.11-2+deb7u5
ii libonig2 5.9.1-1
ii libpcre3 1:8.30-5
ii libqdbm14 1.8.78-2
ii libssl1.0.0 1.0.1e-2+deb7u13
ii libstdc++6 4.7.2-5
ii libxml2 2.8.0+dfsg1-7+wheezy2
ii mime-support 3.52-1
ii php5-common 5.4.34-0+deb7u1
ii tzdata 2014h-0wheezy1
ii ucf 3.0025+nmu3
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages libapache2-mod-php5 recommends:
ii php5-cli 5.4.34-0+deb7u1
Versions of packages libapache2-mod-php5 suggests:
pn php-pear <none>
-- no debconf information
