On 23 Sep 2013, at 11:37, Domain nikha.org <m...@nikha.org> wrote:

> Tamara Temple am Montag, 23. September 2013 - 06:49:
>> GoDaddy's default plesk-generated configuration for FastCGI-served PHP
> files only looked to see if the file contained ".php" somewhere on it's
> path - i.e. it would happily execute 'malicilous.php.txt' as php code,
> even something ridiculous like 'malware.phpnoreallyiwantthistorun'.
> Yes, looks stupid.  
> But my service prodider wrote me this, I quote:
> ---QUOTE---
> This is because Apache offers features like language negotiation based
> on extensions, too -- the final extension doesn't always just specify
> the handler; it can specify other things. Apache can automatically pick
> a German-language script from these, for example:
> file.php.de
> file.php.en
> Whether this is a good idea or not is debatable. It's possible to set
> things up in a different way (using FilesMatch instead of AddHandler)
> to
> avoid this particular problem, but that breaks other things, so there's
> no perfect solution.
> More generally, the real problem is that scripts are looking at the
> final extension of uploaded files to decide whether they're safe or
> not,
> which is dangerous. They're simply assuming that a ".gif" file can't
> run
> a PHP interpreter, for example... which is usually true, but certainly
> not always: some people run all their files through PHP.
> ---END QUOTE---

This is somewhat daft. Yes, Apache offers this feature, but you don't need to 
configure it to work will all extensions. I'd be curious to know what their 
issue is with using FilesMatch, since that provides a way to disable this 
behaviour. And, honestly, who would have a PHP file per language? I think it's 
perfectly reasonable to not allow that, because duplicating PHP code across 
many files is an incredible stupid way to support multiple languages.

"Some people run all their files through PHP" - true, but that doesn't mean 
they should, or that you, as a responsible web host, should be endorsing it.

> The problem is the weak PHP upload mechanism! 
> As workaround my service provider tries to block suspicious filenames,
> but the PHP developpers themself should work on this severe security
> problem.

PHP developers should absolutely validate all content coming in from users in 
every possible way, but I would be highly dubious about trusting a host who 
gives the reason above for what I consider a lax and insecure Apache 
configuration. It's like saying they sliced your arm off with their chainsaw 
because it's made for cutting things, attempting to dodge all responsibility 
for having swung it in your direction!


Stuart Dallas
3ft9 Ltd
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to