|
Thanks to fellow handler Jason for reminding me about the following common Apache misconception. This is not an Apache bug, or a misconfiguration per se. It is more an error of the operator not to read the manual. In order to use PHP, or other modules in Apache, you typically use a configuration directive like: The misconception is about the ".php" part. Many, even experienced, Apache administrators believe that this will enable the PHP module for all files ending in ".php". Close, but wrong. It will enable php for all files that contain .php. For example, test.php.1 will be parsed using php, or something.php.bak. At first, this is actually a good thing. the .bak file will not leak source code. However, the issue becomes a very bad thing if you allow users to upload files. Now it is no longer sufficient to test if the extension is .php. A users could upload test.php.gif and the file would still be parsed by PHP. This brings me to my checklist about how to upload files:
(there is a section about this in my php course). also see: http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext ------ |
Johannes 4351 Posts ISC Handler Apr 7th 2009 |
| Thread locked Subscribe |
Apr 7th 2009 1 decade ago |
|
How do you \"use AV scanners to check the file before you allow access ot the file.\", via command line on the FreeBSD server or is this done locally prior to uploading?
|
Anonymous |
| Quote |
Apr 7th 2009 1 decade ago |
|
Could you use ClamAV?
|
Anonymous |
| Quote |
Apr 7th 2009 1 decade ago |
|
The mod_mime docs also suggest that a FilesMatch stanza can be used in place of AddType to restrict mappings to (eg) the final extension only: http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext
|
Anonymous |
| Quote |
Apr 7th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
