Re: [gentoo-dev] Review: Apache AddHandler news item
Published a slightly improved version now: https://gitweb.gentoo.org/proj/gentoo-news.git/tree/2015/2015-04-06-apache-addhandler-addtype If there's anything wrong with it, please mail me directly (or put me in CC) so there is zero chance of slipping through. Thanks! Best, Sebastian
Re: [gentoo-dev] Review: Apache AddHandler news item
Next round: * Recipe for handling \.(php|php5|phtml|phps)\. manually added * AddType (with similar problems) mentioned, too * Typo momment fixed (* Internel revision bump to 3, will be committed as revision 1) (* Date bumped to today) (* Links renumbered due to new link [2]) Title: Apache AddHandler/AddType vulnerability protection Author: Sebastian Pipping sp...@gentoo.org Content-Type: text/plain Posted: 2015-03-30 Revision: 3 News-Item-Format: 1.0 Display-If-Installed: www-servers/apache Apache's directives AddHandler [1] (and AddType [2]) can be used to map certain file name extensions (e.g. .php) to a handler (e.g. application/x-httpd-php). While a line like AddHandler application/x-httpd-php .php .php5 .phtml matches index.php, it also matches index.php.png. Apache's notes on multiple file extensions [3] document a multi-language website as a context where that behavior may be helpful. Unfortunately, it can be a security threat. Combined with (not just PHP) applications that support file upload, the AddHandler/AddType directive can get you into remote code execution situations. That is why app-admin/eselect-php now avoids AddHandler and is shipping FilesMatch \.(php|php5|phtml)$ SetHandler application/x-httpd-php /FilesMatch instead. Why this news entry? * Since Apache configuration lives below /etc, you need to run etc-update (or a substitute) to actually have related fixes applied. * If you are currently relying on AddHandler to execute secret_database_stuff.php.inc, moving away from AddHandler could result in serving your database credentials in plain text. A command like find /var/www/ -name '*.php.*' \ -o -name '*.php5.*' \ -o -name '*.phtml.*' may help discovering PHP files that would no longer be executed. Shipping automatic protection for this scenario is not trivial, but you could manually install protection based on this recipe: FilesMatch \.(php|php5|phtml|phps)\. # a) Apache 2.2 / Apache 2.4 + mod_access_compat #Order Deny,Allow #Deny from all # b) Apache 2.4 + mod_authz_core #Require all denied # c) Apache 2.x + mod_rewrite #RewriteEngine on #RewriteRule .* - [R=404,L] /FilesMatch * You may be using AddHandler (or AddType) at other places, including off-package files. Please have a look. * app-admin/eselect-php is not the only package affected. There is a dedicated tracker bug at [4]. As of the moment, affected packages include: app-admin/eselect-php[apache2] dev-lang/php[apache2] net-nds/gosa-core www-apache/mod_fastcgi www-apache/mod_flvx www-apache/mod_python www-apache/mod_suphp www-apps/moinmoin www-apps/rt[-lighttpd] Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer. [1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler [2] https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype [3] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext [4] https://bugs.gentoo.org/show_bug.cgi?id=544560
Re: [gentoo-dev] Review: Apache AddHandler news item
On 03/26/2015 12:56 PM, Sebastian Pipping wrote: Why this news entry? The most important reason is missing =) If you are relying on the AddHandler behavior to execute secret_database_stuff.php.inc, then once the change is made, Apache will begin serving up your database credentials in plain text.
[gentoo-dev] Review: Apache AddHandler news item
Hi! In context of https://bugs.gentoo.org/show_bug.cgi?id=538822 mjo and agreed that a portage news item would be a good idea. Please review my proposal below. Thank you! Best, Sebastian === Title: Apache AddHandler vulnerability protection Author: Sebastian Pipping sp...@gentoo.org Content-Type: text/plain Posted: 2015-03-26 Revision: 1 News-Item-Format: 1.0 Display-If-Installed: www-servers/apache Apache's directive AddHandler [1] can be used to map certain file name extensions (e.g. .php) to a handler (e.g. application/x-httpd-php). While a line like AddHandler application/x-httpd-php .php .php5 .phtml matches index.php, it also matches index.php.png. Apache's notes on multiple file extensions [2] document a multi-language website as a context where that behavior may be helpful. Unfortunately, it can be a security threat. Combined with (not just PHP) applications that support file upload, the AddHandler directive can get you into remote code execution situations. That is why app-admin/eselect-php now avoids AddHandler and is shipping FilesMatch \.(php|php5|phtml)$ SetHandler application/x-httpd-php /FilesMatch instead. Why this news entry? * Since Apache configuration lives below /etc, you need to run etc-update (or a substitute) to actually have related fixes applied. * You may be using AddHandler at other places, including off-package files. Please have a look. * app-admin/eselect-php is not the only package affected. There is a dedicated tracker bug at [3]. As of the momment, affected packages include: app-admin/eselect-php[apache2] dev-lang/php[apache2] net-nds/gosa-core www-apache/mod_fastcgi www-apache/mod_flvx www-apache/mod_python www-apache/mod_suphp www-apps/moinmoin www-apps/rt[-lighttpd] [1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler [2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext [3] https://bugs.gentoo.org/show_bug.cgi?id=544560
Re: [gentoo-dev] Review: Apache AddHandler news item
* Sebastian Pipping schrieb am 26.03.15 um 19:15 Uhr: As of the momment, affected packages include: ^ Typo -- 0x35A64134 - 8AAC 5F46 83B4 DB70 8317 3723 296C 6CCA 35A6 4134 signature.asc Description: Digital signature
Re: [gentoo-dev] Review: Apache AddHandler news item
On 26.03.2015 18:02, Michael Orlitzky wrote: The most important reason is missing =) If you are relying on the AddHandler behavior to execute secret_database_stuff.php.inc, then once the change is made, Apache will begin serving up your database credentials in plain text. Good point. Changes: * Revision bump * Add section on .php.inc * Add thanks line Title: Apache AddHandler vulnerability protection Author: Sebastian Pipping sp...@gentoo.org Content-Type: text/plain Posted: 2015-03-26 Revision: 2 News-Item-Format: 1.0 Display-If-Installed: www-servers/apache Apache's directive AddHandler [1] can be used to map certain file name extensions (e.g. .php) to a handler (e.g. application/x-httpd-php). While a line like AddHandler application/x-httpd-php .php .php5 .phtml matches index.php, it also matches index.php.png. Apache's notes on multiple file extensions [2] document a multi-language website as a context where that behavior may be helpful. Unfortunately, it can be a security threat. Combined with (not just PHP) applications that support file upload, the AddHandler directive can get you into remote code execution situations. That is why app-admin/eselect-php now avoids AddHandler and is shipping FilesMatch \.(php|php5|phtml)$ SetHandler application/x-httpd-php /FilesMatch instead. Why this news entry? * Since Apache configuration lives below /etc, you need to run etc-update (or a substitute) to actually have related fixes applied. * If you are currently relying on AddHandler to execute secret_database_stuff.php.inc, moving away from AddHandler could result in serving your database credentials in plain text. A command like find /var/www/ -name '*.php.*' \ -o -name '*.php5.*' \ -o -name '*.phtml.*' may help discovering PHP files that would no longer be executed. * You may be using AddHandler at other places, including off-package files. Please have a look. * app-admin/eselect-php is not the only package affected. There is a dedicated tracker bug at [3]. As of the momment, affected packages include: app-admin/eselect-php[apache2] dev-lang/php[apache2] net-nds/gosa-core www-apache/mod_fastcgi www-apache/mod_flvx www-apache/mod_python www-apache/mod_suphp www-apps/moinmoin www-apps/rt[-lighttpd] Thanks to Nico Suhl and Michael Orlitzky. [1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler [2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext [3] https://bugs.gentoo.org/show_bug.cgi?id=544560
Re: [gentoo-dev] Review: Apache AddHandler news item
On 26.03.2015 20:50, Marc Schiffbauer wrote: * Sebastian Pipping schrieb am 26.03.15 um 19:15 Uhr: As of the momment, affected packages include: ^ Typo Thanks. Fixed in my local copy. No need to re-paste, I believe. Best, Sebastian