diff options
Diffstat (limited to 'metadata/news/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt')
-rw-r--r-- | metadata/news/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt | 100 |
1 files changed, 0 insertions, 100 deletions
diff --git a/metadata/news/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt b/metadata/news/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt deleted file mode 100644 index f90d09191dee..000000000000 --- a/metadata/news/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt +++ /dev/null @@ -1,100 +0,0 @@ -Title: Apache AddHandler/AddType exploit protection -Author: Sebastian Pipping <sping@gentoo.org> -Content-Type: text/plain -Posted: 2015-04-06 -Revision: 2 -News-Item-Format: 1.0 -Display-If-Installed: www-servers/apache - -Apache's directives AddHandler [1] and AddType [2] can be used -to map certain file name extensions (e.g. .php) to a handler -(e.g. application/x-httpd-php). While a line like - - AddHandler application/x-httpd-php .php .php5 .phtml - ^^^^^^^ -matches index.php, it also matches index.php.png. -With - - AddType application/x-httpd-php .php .php5 .phtml - ^^^^ -index.php.png is not executed, but index.php.disabled still is. - - -Apache's notes on multiple file extensions [3] document -a multi-language website as a context where that behavior -may be helpful. Unfortunately, it can also be a security threat. - -Combined with (not just PHP) applications that support -file upload, the AddHandler/AddType directive can get you into -remote code execution situations. - -That is why >=app-eselect/eselect-php-0.7.1-r4 avoids AddHandler -and is shipping - - <FilesMatch "\.(php|php5|phtml)$"> - SetHandler application/x-httpd-php - </FilesMatch> - -instead. - - -Why this news entry? - - * Since Apache configuration lives below /etc, - you need to run etc-update (or a substitute) - to actually have related fixes applied. - To get them into the running instance of Apache, - you need to make it reload its configuration, e.g. - - sudo /etc/init.d/apache2 reload - - * If you are currently relying on AddHandler to execute - secret_database_stuff.php.inc, moving away from AddHandler - could result in serving your database credentials in plain - text. A command like - - find /var/www/ -name '*.php.*' \ - -o -name '*.php5.*' \ - -o -name '*.phtml.*' - - may help discovering PHP files that would no longer be executed. - - Shipping automatic protection for this scenario is not trivial, - but you could manually install protection based on this recipe: - - <FilesMatch "\.(php|php5|phtml|phps)\."> - # a) Apache 2.2 / Apache 2.4 + mod_access_compat - #Order Deny,Allow - #Deny from all - - # b) Apache 2.4 + mod_authz_core - #Require all denied - - # c) Apache 2.x + mod_rewrite - #RewriteEngine on - #RewriteRule .* - [R=404,L] - </FilesMatch> - - * You may be using AddHandler or AddType in other places, - including off-package files. Please have a look. - - * app-eselect/eselect-php is not the only package affected. - There is a dedicated tracker bug at [4]. - As of the moment, affected packages include: - - app-eselect/eselect-php[apache2] - net-nds/gosa-core - www-apache/mod_fastcgi - www-apache/mod_flvx - www-apache/mod_python - www-apache/mod_suphp - www-apps/moinmoin - www-apps/rt[-lighttpd] - - -Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer. - -[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler -[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype -[3] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext -[4] https://bugs.gentoo.org/show_bug.cgi?id=544560 |