logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



File Upload: Double Extension Attack

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
icarus



Joined: 28 Sep 2017
Posts: 2

PostPosted: Thu 28 Sep '17 23:02    Post subject: File Upload: Double Extension Attack Reply with quote

In the section "Double extensions" on Why File Upload Forms are a Major Security Threat it says:
Quote:

Therefore, a file named filename.php.123, will be interpreted as a PHP file by Apache HTTP Server, and it will be executed.


I tried to test this myself, but Apache does not execute PHP code for a file name like that (I am running Apache with default configurations).

Have the (default) rules regarding double extensions changed?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Fri 29 Sep '17 19:50    Post subject: Reply with quote

Yes and no.

With a commonly suggested all over the web configuration like this;
Code:
LoadModule php7_module /php/php7apache2_4.dll
<IfModule php7_module>
  PHPIniDir /php
  AddHandler application/x-httpd-php .php
</IfModule>

You could go to this filename.php.123 and it will be interpreted by PHP unfortunately.

However, a configuration like this;
Code:
LoadModule php7_module /php/php7apache2_4.dll
<IfModule php7_module>
  PHPIniDir /php
  <Files ~ "\.php$">
    AddHandler application/x-httpd-php .php
  </Files>
</IfModule>

It will not work. So it could be considered a configuration error that allows it.

If you set up your Apache using the "Proven Setup" here in the forum, you are using mod_fcgid to run PHP and it's configuration uses this <Files> container with regex to halt the search at the $.

I've never tried configuring with AddType as suggested in the article which is less typing and trying it just now does work Smile
Back to top
icarus



Joined: 28 Sep 2017
Posts: 2

PostPosted: Fri 29 Sep '17 22:52    Post subject: Reply with quote

Great answer, thanks!
Back to top
timo



Joined: 03 Jun 2012
Posts: 28
Location: FI, EU

PostPosted: Sat 30 Sep '17 7:36    Post subject: Reply with quote

glsmith wrote:
If ... you are using mod_fcgid to run PHP

So, does PHP as an Apache module require this?
Here is a part of my conf:
Code:
ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php .phtml

PHPIniDir "C:/PHP"
LoadModule php7_module "c:/php/php7apache2_4.dll"
I tested with a file that was named test.php and test.php.txt.
Test.php runs as a PHP file should.
Test.php.txt does not, instead browser asks if I want to open it or download it. If I open it, it acts as a text file according to the last extension.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Sun 01 Oct '17 7:46    Post subject: Reply with quote

The difference is AddType doesn't vs. AddHandler does.
Back to top
timo



Joined: 03 Jun 2012
Posts: 28
Location: FI, EU

PostPosted: Sun 01 Oct '17 7:52    Post subject: Reply with quote

glsmith wrote:
The difference is AddType doesn't vs. AddHandler does.

According to the test I would agree, but in Apache manual for AddType directive it says
Quote:
The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

http://httpd.apache.org/docs/2.4/mod/mod_mime.html#addtype
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1