$ cat /etc/issue Debian GNU/Linux 4.0 \n \l $ mv phpinfo.php phpinfo.php.txt $ wget -qO - http://the-wes.com/phpinfo.php.txt <?PHP phpinfo(); ?>
I think this means I'm safe. -wes On Fri, Nov 13, 2009 at 10:29 PM, Joe Pruett <[email protected]> wrote: > if you use the apache addhandler command for things like php, perl, python, > etc > it can create a huge hole if you allow uploads into your web space (images > for > example). the unbelievable behavior is that addhandler (and other friends > from > mod_mime) look for the extension anywhere in the filename, not just the > end. > so foo.php.jpg will be run as php if addhandler is used for .php (which is > the > default for redhat 5 systems). > > a workaround is to use: > > <FilesMatch \.php$> > SetHandler php5-script > ForceType text/html > </FilesMatch> > > instead. wow, this is just scary... > > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
