Hi Folks: I haven't been reading the list lately. I went to the mailing list archives on Google and MARC to see what's been said about the "Apache Win32 PHP.EXE Remote File Disclosure Vulnerability." I was surprised to find only one post to the php-dev list:
> As I responded on Bugtraq, this is, if anything, an Apache bug, not a PHP > bug. It could be a configuration bug too, but the bottom line is the > Apache doesn't determine that the file is a PHP file when requested in that > way, and doesn't even invoke PHP on it. > > Zeev http://groups.google.com/groups?hl=en&threadm=5.1.0.14.2.20011216032247.06833468%40localhost&rnum=10&prev=/groups%3Fhl%3Den%26q%3DApache%2BPHP%2Bfile%2BDisclosure%2Bvulnerability%26btnG%3DGoogle%2BSearch I was surprised that nothing is mentioned about it on the PHP web site. I did a search on the whole site for "apache File Disclosure" and got no hits. Similarly, looking in the Apache Bug Report Database brought up nothing. Weird. So, I wanted to give the php-general list a heads up on this matter. As Zeev points out, it's an Apache problem, but it's something we, as PHP users, will run into... vvvvvvvvvvvvvvvv clip from Security Focus vvvvvvvvvvvvvvvvvvvv SecurityFocus Newsletter #127. Tue, 15 Jan 2002. 1. Apache Win32 PHP.EXE Remote File Disclosure Vulnerability BugTraq ID: 3786 Remote: Yes Date Published: Jan 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3786 Summary: A vulnerability exists in the suggested default configuration for the Apache PHP.EXE binary on Microsoft Windows platforms. This issue has the potential to disclose the contents of arbitrary files to remote attackers. The ScriptAlias line of the following configuration in the httpd.conf Apache configuration file is known to be the source of this issue: ScriptAlias /php/ "c:/php/"=20 AddType application/x-httpd-php .php=20 Action application/x-httpd-php "/php/php.exe" As a result, it is possible for an attacker to append a filepath to the end of web request for php.exe. Files targetted in this manner will be served to the attacker. It is also possible to run executables in the PHP directory via successful exploitation of this vulnerability. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ A temporary workaround I though of off the cuff is modifying some of the settings in the Apache configuration (httpd.conf, .htaccess, etc) files. This way, crackers would have to guess the vulnerable path. Of course, this isn't a real security measure, but it reduces the likelyhood of problems. STANDARD SETTINGS: Action application/x-httpd-php "/php/php.exe" ScriptAlias /php/ "f:/Program Files/php4/" TWEAKED SETTINGS: Action application/x-httpd-php "/SomeOtherName/php.exe" ScriptAlias /SomeOtherName/ "f:/Program Files/php4/" Another thing Win32/PHP/Apache users on NT and 2000 machines can do is run the Apache service under a particular user id and tighten permissions granted that user. I guess mod_rewrite could be used to head off these calls to /php/php.exe. But I'm not familiar enough with mod_rewrite to do this. If anyone is, please be kind enough to post the _complete_ set of commands one would need to handle this situation. Enjoy, --Dan -- PHP scripts that make your job easier http://www.analysisandsolutions.com/code/ SQL Solution | Layout Solution | Form Solution T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Ave, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
