Your message dated Wed, 4 Jun 2008 09:32:55 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Closing duplicate of already closed bug
has caused the Debian Bug report #415254,
regarding SuPHP security issue: Replace AddHandler by AddType
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
415254: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=415254
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libapache-mod-suphp
Version: 0.5.2-3
Severity: critical
There seems to be a serious security bug when using suphp
with apache 1.3.x on Sarge (and also on Etch).
Due to a bug in the suphp (or apache) package it is
necessary to use
AddHandler x-httpd-php .php
instead of the preferred
AddType x-httpd-php .php
Because of this a file called \'image.php.jpg\' is
interpreted and executed as a PHP file (not as an image).
Which makes the execution of arbitrary code possible when
(for example) a poorly written image-upload form fails to
properly check the file-extension.
More info can be found here:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg00065.html
Note: Apache2 doesn\'t seem affected. It however generates a
\'[warn] Cannot get media type from x-httpd-php\' warning in
the apache error-log, each time a php-file is called upon.
Regards,
Fili
--- End Message ---
--- Begin Message ---
This bug was reassigned from no longer available libapache-mod-suphp to
libapache-mod-suphp2, but it's fixed in this last one (see #416424).
--- End Message ---
