[Bug 358703] [NEW] Wrong/insecure configuration of PHP module

imagine the.box at gmx.net
Thu Apr 9 20:34:55 BST 2009 

Public bug reported:

Binary package hint: libapache2-mod-php5

The Apache directives inside /etc/apache2/mods-available/php5.conf are both wrong and insecure. The relevant lines are:
---
AddType application/x-httpd-php .php .phtml .php3
AddType application/x-httpd-php-source .phps
---

1. 'AddType' is an Apache directive to configure the mime-type of files
for the CLIENT side. However PHP is executed at the SERVER side, hence
'AddHandler' or 'SetHandler' must be used instead.

2. In my experience users running Apache with mod_php expect that only
files ending with .php, .phtml or .php3 will be processed by the PHP
interpreter. However the 'AddType' directives above will enable PHP for
all files CONTAINING .php, .phtml or .php3. For example also
'file.php.something' will be executed on the server as long as it
contains PHP code [1].


Upstream has updated its documentation [2] some months ago to correct those problems and now states:
---
Tell Apache to parse certain extensions as PHP.  For example, let's have Apache parse .php files as PHP. Instead of only using the Apache AddType directive, we want to avoid potentially dangerous uploads and created files such as exploit.php.jpg from being executed as PHP. Using this example, you could have any extension(s) parse as PHP by simply adding them. We'll add .phtml to demonstrate.
<FilesMatch \.php$>
  SetHandler application/x-httpd-php
</FilesMatch>
[...]
---

Please change /etc/apache2/mods-available/php5.conf accordingly. As far
as I know this bug exists in all versions of libapache2-mod-php5 and is
therefore true for all Ubuntu versions.


[1] http://httpd.apache.org/docs/2.2/en/mod/mod_mime.html#multipleext
[2] http://www.php.net/manual/en/install.unix.apache2.php

** Affects: php5 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Wrong/insecure configuration of PHP module
https://bugs.launchpad.net/bugs/358703
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.

More information about the Ubuntu-server-bugs mailing list