Re: MAJOR SECURITY-PROBLEM Apache 2.4.6

Mon, 16 Sep 2013 11:12:08 -0700 

I can sort-of confirm this.

Apache 2.4.3 on Windows 7 x64 (ApacheLounge build)
For me, the PHP is executed, not displayed.

Stock configuration with mod_php and only this added:
 <Location "/phpinfo.php">
LimitRequestBody 1
</Location>

The built in error is displayed with the processed PHP (in my case, just
phpinfo() ) appended. I could not replicate this with any other directive.

- Y


On Mon, Sep 16, 2013 at 7:56 AM, Reindl Harald <[email protected]>wrote:

> why in the world does Apache add the *sourcode* of the called PHP
> script after the sepcified ErrorDocument? this is a major problem
> and exactly *not* what should happen by a security option
> ________________________________________________
>
> <Location "/cms.php">
>  LimitRequestBody 10
> </Location>
>
> ErrorDocument 413 "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01
> Transitional//EN'
> 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 -
> Request Entity Too Large</title><style
> type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none;
> font-size:16px;} body {margin:0px;
> padding:15px;}</style></head><body><h1 style='margin-top:0px;
> font-size:18px;'>Error 413</h1><p>Request Entity Too
> Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a
> href='mailto:[email protected]?subject=Server-Error-413'>
> [email protected]</a></p></body></html>"
> ________________________________________________
>
> OUTPUT TO THE BROWER (stripped, yes it adds the complete PHP sript)
>
> <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'
> 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 -
> Request Entity Too Large</title><style
> type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none;
> font-size:16px;} body {margin:0px;
> padding:15px;}</style></head><body><h1 style='margin-top:0px;
> font-size:18px;'>Error 413</h1><p>Request Entity Too
> Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a
> href='mailto:[email protected]?subject=Server-Error-413'>[email protected]
> </a></p></body></html><?php
>  /**
>   CONTENT MANAGMENT SYSTEM / CONTENTLOUNGE
>   ------------------------------------------------------------------
>   AENDERUNGEN UND WEITERGABE DIESER DATEI OHNE RUECKSPRACHE MIT DEM
>   ENTWICKLER SIND LIZENZRECHTLICH NICHT GESTATTET!
>   ---------------------------------------------------
>
>

Reply via email to