| View previous topic :: View next topic |
| Author |
Message |
vierupro
n00b
Joined: 15 Jun 2006
Posts: 5
|
 Posted: Fri Jun 16, 2006 2:06 am Post subject: php interpret .php._php extension ?? |
 |
|
Hi everyone!
I have a gentoo server with apache + php installed. On my web server are hosted a few sites, and everything works fine. A few months ago we opened a php based file sharing service on this box, the people can upload their files and share them. So I allowed the users to be able to upload files with all extensions except scripts (php, php3, php4, pl, cgi, etc.). After uploading they cannot rename the files (to change the extension), so I was sure they could not execute any malicious script on my server.
A few days ago a guy tried to hack my server using php shells. The way he did it was very unexpected for me... 
He uploaded the shell renamed with the extension .php._php
The most amasing thing is that apache interprets such a file as a php script !! 
this is like my mod_php conf looks like
| Code: | <IfDefine PHP4>
# Load the module first
<IfModule !sapi_apache2.c>
LoadModule php4_module modules/libphp4.so
</IfModule>
# Set it to handle the files
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
AddType application/x-httpd-php .phtml
AddType application/x-httpd-php .php3
AddType application/x-httpd-php .php4
AddType application/x-httpd-php-source .phps
</IfModule>
AddDirectoryIndex index.php index.phtml
</IfDefine>
|
I searched google for this info and couldn't find anything except some chinese forums with hacking (where I didn't understand anything) 
So wtf is that ?
Is that some kind of bug or what ? Anyone had such problems and know how to repair it ?
Any help will be appreciated. Thanks in advance ! |
|
| Back to top |
|
 |
Aries-Belgium
l33t
Joined: 08 Jul 2005
Posts: 730
Location: Willebroek, Belgium
|
| Posted: Fri Jun 16, 2006 3:48 am Post subject: |
|
|
If that guy uploaded a file named like that, I think he knew that it could work. So my guess is that it is a bug either in Apache or the mod_php module. I'm not sure where you should report it ...
I've tried it myself and these work too: index.php.-php | index.php.~php | index.php.*php
[EDIT]
It seems the apache handler just ignores the things after ".php." because you can also do it on some other websites where that file doesn't exist. Just a random site
_________________
Ep2.nl | Developers Community |
|
| Back to top |
|
|
vierupro
n00b
Joined: 15 Jun 2006
Posts: 5
|
| Posted: Fri Jun 16, 2006 4:49 pm Post subject: |
|
|
| Quote: | | It seems the apache handler just ignores the things after ".php." because you can also do it on some other websites where that file doesn't exist. Just a random site |
It can't be done on all sites. It seems to me that it works only on those who use mod_rewrite and redirects the requests to non existent files to index.php
something like that | Code: | RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php |
Still don't know how to disable that thing... Should I report a bug or what ? 'cause I don't believe I'm the first one who found this problem... |
|
| Back to top |
|
|
Aries-Belgium
l33t
Joined: 08 Jul 2005
Posts: 730
Location: Willebroek, Belgium
|
| Posted: Fri Jun 16, 2006 6:10 pm Post subject: |
|
|
| vierupro wrote: | | Quote: | | It seems the apache handler just ignores the things after ".php." because you can also do it on some other websites where that file doesn't exist. Just a random site |
It can't be done on all sites. It seems to me that it works only on those who use mod_rewrite and redirects the requests to non existent files to index.php
something like that | Code: | RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php |
Still don't know how to disable that thing... Should I report a bug or what ? 'cause I don't believe I'm the first one who found this problem... |
It doesn't work on all website, indeed.
But in the folder where I tested it, there wasn't a .htaccess file so I couldn't have rewrote the rules
_________________
Ep2.nl | Developers Community |
|
| Back to top |
|
|
mazaryk
n00b
Joined: 03 Jul 2004
Posts: 62
|
| Posted: Fri Jun 16, 2006 7:48 pm Post subject: |
|
|
This isn't a bug. The behavior lies in mod_mime:
http://httpd.apache.org/docs/trunk/mod/mod_mime.html#multipleext
| Quote: | | Files can have more than one extension, and the order of the extensions is normally irrelevant. |
vierupro,
My suggestion is to improve your upload filter to reject files with .php anywhere in the name, if you haven't already. Also, you may want to disable dangerous php functions (like shell_exec, exec, system, passthru, etc...) via the disable_functions directive in php.ini.
_________________
http://www.mazaryk.com/ |
|
| Back to top |
|
|
vierupro
n00b
Joined: 15 Jun 2006
Posts: 5
|
| Posted: Sun Jun 18, 2006 12:23 am Post subject: |
|
|
Thanks for advices!
I have already disabled dangerous php functions on my web server. I've messed up a little bit with the mime docs and found that extensions like php.en , php.de , etc, (and the other languages entensions) are executed as php scripts too... so... I will have to follow the mazaryk's advice and filter the files containing .php anywhere in the filename until I will find another solution to that. |
|
| Back to top |
|
|
nobspangle
Veteran
Joined: 23 Mar 2004
Posts: 1318
Location: Manchester, UK
|
| Posted: Sun Jun 18, 2006 6:21 pm Post subject: |
|
|
| you could also rename the files as they are uploaded and use a download script to retrive them which will prevent the php from being executed. |
|
| Back to top |
|
|
|
Networking & Security
