Internet Storm Center

Thanks to fellow handler Jason for reminding me about the following common Apache misconception. This is not an Apache bug, or a misconfiguration per se. It is more an error of the operator not to read the manual.

In order to use PHP, or other modules in Apache, you typically use a configuration directive like:

LoadModule php4_module modules/libphp4.so 
AddType application/x-httpd-php .php

The misconception is about the ".php" part. Many, even experienced, Apache administrators believe that this will enable the PHP module for all files ending in ".php". Close, but wrong. It will enable php for all files that contain .php. For example, test.php.1 will be parsed using php, or something.php.bak. At first, this is actually a good thing. the .bak file will not leak source code. However, the issue becomes a very bad thing if you allow users to upload files. Now it is no longer sufficient to test if the extension is .php. A users could upload test.php.gif and the file would still be parsed by PHP.

This brings me to my checklist about how to upload files:

• do not use the user provided filename, come up with your own random / artificial filename.
• upload the files into one directory only, which is outside the DocumentRoot.
• carefully validate that the mime type provided by the user matches the mime type received.
• to retrieve the file, use a wrapper page (which can then also do access control).
• establish maximum file sizes and enforce them on the server.
• avoid anonymous uploads if you can.
• use AV scanners to check the file before you allow access ot the file.

(there is a section about this in my php course).

also see: http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute    - twitter: http://twitter.com/johullrich