On 23 Sep 2013, at 11:37, Domain nikha.org <m...@nikha.org> wrote: > Tamara Temple am Montag, 23. September 2013 - 06:49: >> >> GoDaddy's default plesk-generated configuration for FastCGI-served >> PHP > files only looked to see if the file contained ".php" somewhere on > it's path - i.e. it would happily execute 'malicilous.php.txt' as php > code, even something ridiculous like 'malware.phpnoreallyiwantthistorun'. >> > > Yes, looks stupid. > But my service prodider wrote me this, I quote: > ---QUOTE--- > This is because Apache offers features like language negotiation based > on extensions, too -- the final extension doesn't always just specify > the handler; it can specify other things. Apache can automatically > pick a German-language script from these, for example: > > file.php.de > file.php.en > > Whether this is a good idea or not is debatable. It's possible to set > things up in a different way (using FilesMatch instead of AddHandler) > to avoid this particular problem, but that breaks other things, so > there's no perfect solution. > > More generally, the real problem is that scripts are looking at the > final extension of uploaded files to decide whether they're safe or > not, which is dangerous. They're simply assuming that a ".gif" file > can't run a PHP interpreter, for example... which is usually true, but > certainly not always: some people run all their files through PHP. > ---END QUOTE---
This is somewhat daft. Yes, Apache offers this feature, but you don't need to configure it to work will all extensions. I'd be curious to know what their issue is with using FilesMatch, since that provides a way to disable this behaviour. And, honestly, who would have a PHP file per language? I think it's perfectly reasonable to not allow that, because duplicating PHP code across many files is an incredible stupid way to support multiple languages. "Some people run all their files through PHP" - true, but that doesn't mean they should, or that you, as a responsible web host, should be endorsing it. > The problem is the weak PHP upload mechanism! > As workaround my service provider tries to block suspicious filenames, > but the PHP developpers themself should work on this severe security > problem. PHP developers should absolutely validate all content coming in from users in every possible way, but I would be highly dubious about trusting a host who gives the reason above for what I consider a lax and insecure Apache configuration. It's like saying they sliced your arm off with their chainsaw because it's made for cutting things, attempting to dodge all responsibility for having swung it in your direction! -Stuart -- It seems this is the standard apache configuration, but that's no excuse. Googling returned many results where this was described as a major security threat e.g. "Beware of the default Apache 2 config for PHP" http://ilia.ws/archives/226-Beware-of-the-default-Apache-2-config-for-PHP.ht ml On that site the solution was to change AddHandler to AddType. My service provider is going the FilesMatch route. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
