Ticket #11122 (closed defect (bug): fixed)
Sanitize filenames with multiple extensions
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | 2.8.6 |
| Component: | Security | Version: | 2.8.5 |
| Severity: | normal | Keywords: | health-check |
| Cc: |
Description
Some apache setups will serve foo.php.jpg as a php file. Thwart this by munging intermediate extensions.
Attachments
-
11122.diff
(3.3 KB) -
added by ryan 2 years ago.
Change History
- Keywords health-check added
Intriguing behaviour as really only the last part after the last dot is the extension IMHO
should we not just replace all dots bar the last one in the filename?
The patch turns .php.jpg into .php_.jpg. .php.jpg.jpg into .php_.jpg.jpg. Anything that looks like an extension (a dot followed by [a-zA-Z]{2,5}\d?) that is not in the whitelist is munged by appending an underscore.
Better fix for people with vulnerable hosts. Add this to the top of the root .htaccess file:
RemoveHandler application/x-httpd-php .php <FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch>
This will remove the problem. Verified on a vulnerable shared web host (which shall remain nameless for now).
Tip that we should tell all web hosts: Don't use AddHandler.
This (or similar) is the vulnerability:
AddHandler application/x-httpd-php .php
This is the correct way to do it:
<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch>
Reference step 15 of the install instructions here: http://php.net/manual/en/install.unix.apache2.php
