Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: File Upload: Double Extension Attack |
|
| Author |
|
icarus
Joined: 28 Sep 2017
Posts: 2
|
 Posted: Thu 28 Sep '17 23:02 Post subject: File Upload: Double Extension Attack |
 |
|
In the section "Double extensions" on Why File Upload Forms are a Major Security Threat it says:
| Quote: |
Therefore, a file named filename.php.123, will be interpreted as a PHP file by Apache HTTP Server, and it will be executed.
|
I tried to test this myself, but Apache does not execute PHP code for a file name like that (I am running Apache with default configurations).
Have the (default) rules regarding double extensions changed? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 29 Sep '17 19:50 Post subject: |
|
|
Yes and no.
With a commonly suggested all over the web configuration like this;
| Code: | LoadModule php7_module /php/php7apache2_4.dll
<IfModule php7_module>
PHPIniDir /php
AddHandler application/x-httpd-php .php
</IfModule> |
You could go to this filename.php.123 and it will be interpreted by PHP unfortunately.
However, a configuration like this;
| Code: | LoadModule php7_module /php/php7apache2_4.dll
<IfModule php7_module>
PHPIniDir /php
<Files ~ "\.php$">
AddHandler application/x-httpd-php .php
</Files>
</IfModule> |
It will not work. So it could be considered a configuration error that allows it.
If you set up your Apache using the "Proven Setup" here in the forum, you are using mod_fcgid to run PHP and it's configuration uses this <Files> container with regex to halt the search at the $.
I've never tried configuring with AddType as suggested in the article which is less typing and trying it just now does work  |
|
| Back to top |
|
icarus
Joined: 28 Sep 2017
Posts: 2
|
| Posted: Fri 29 Sep '17 22:52 Post subject: |
|
|
| Great answer, thanks! |
|
| Back to top |
|
timo
Joined: 03 Jun 2012
Posts: 45
Location: FI, EU
|
| Posted: Sat 30 Sep '17 7:36 Post subject: |
|
|
| glsmith wrote: | | If ... you are using mod_fcgid to run PHP |
So, does PHP as an Apache module require this?
Here is a part of my conf: | Code: | ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php .phtml
PHPIniDir "C:/PHP"
LoadModule php7_module "c:/php/php7apache2_4.dll"
|
I tested with a file that was named test.php and test.php.txt.
Test.php runs as a PHP file should.
Test.php.txt does not, instead browser asks if I want to open it or download it. If I open it, it acts as a text file according to the last extension. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sun 01 Oct '17 7:46 Post subject: |
|
|
| The difference is AddType doesn't vs. AddHandler does. |
|
| Back to top |
|
timo
Joined: 03 Jun 2012
Posts: 45
Location: FI, EU
|
| Posted: Sun 01 Oct '17 7:52 Post subject: |
|
|
| glsmith wrote: | | The difference is AddType doesn't vs. AddHandler does. |
According to the test I would agree, but in Apache manual for AddType directive it says | Quote: | | The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them. |
http://httpd.apache.org/docs/2.4/mod/mod_mime.html#addtype |
|
| Back to top |
|
|
|
|
|
|
