I suppose this is a great bug. It work also on apache 2. If a user can upload a file and it's extension isn't associated to a mime-type, the server processes it as a php file..
Stanza On 12/5/05, Chris Umphress <[EMAIL PROTECTED]> wrote: > On 12/4/05, Ron <[EMAIL PROTECTED]> wrote: > > I'm not sure whether this is something that's well known, but I've never > > seen anything about it, and I nearly got burned by it, so I figured I'd > > post it here. > > > > In Apache 1.3.33 (untested on any other version), if you have a file > > called file.php.bak, and you navigate to it in the browser, it will run > > on the server as a .php file. This works with any extension that isn't > > known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.) > > > > This can impact upload scripts, if they don't rename. I had a script > > that was only allowing a very limited number of file names, including > > .rar. I realized that I could upload the file test.php.rar, as > > demonstrated here: > > http://www.javaop.com/~iago/test.php.rar > > > > (I assure you that that's a .php script, not just that text file). > > Whoa, that's interesting. Testing on Apache 2.0.54 gets the same result. > > $ echo "<?php echo 'test'; ?>">/path/to/htdocs/test.php.rar > $ wget http://localhost/test.php.rar -O /tmp/test.txt > $ cat /tmp/test.text;echo > > Prints "test". I hadn't heard about this. Thankfully, my webserver > isn't susceptible to such attacks, let me show you why. In my > httpd.conf file, I have: > > Alias /uploads/ "/var/www/htdocs/" > Alias /uploads "/var/www/htdocs/" > > First, I'm not naming the real directory.... Second, if someone did > find the upload directory, they would be redirected to the root of the > server. They couldn't run the script on my server no matter how hard > they tried. > > Thanks for the information. > > -- > Chris Umphress <http://daga.dyndns.org/> > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
