PHP hanlder and AddType vs FilesMatch

[Branko]

Hi... I'm opening up this discussion possibly related to security of user sites and current default setup of php.conf, hoping to get some feedback from fellow sysadmins and cPanel team.

I'm running large number of suphp servers and with current default config I've noticed that you can add random extensions to php files and they would be still handled by suphp.

For example:
http://yourdomain.com/file.php.22

Where 22 can be any random extension (ex. .inc , .anything...) not currently having defined Handler inside your apache configuration.

As per Apache's Documentation this is expected behavior since AddType will only append mime types to file names according to their extensions not watching if there is another extension.
When it comes to actual Handlers it will trigger the Handlers for each mime type defined. In this case it will add default type text/plain + application/x-httpd-php5 which will be processed by suphp type handler.

Anyways, as per documentation to avoid such behavior there should be defined handler based on final extension only.

Why am I concerned about this... well over time I've seen alot of injected php shells and other malicious php code masked with double extensions to bypass purely written upload verification scripts.

Anyways, a proposed fix to this double extension php rendering would be:

Code:

<FilesMatch "\.(php5|php4|php|php3|php2|phtml)$">
SetHandler application/x-httpd-php5
</FilesMatch>

instead of:

Code:

AddType application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml

In /usr/local/apache/conf/php.conf

What I'm interested to find out from the comunity is... how to maintain this change after easyapache rebuilds (post build hooks)?
Is there any particular reason why cpanel is using AddType instead of FilesMatch?
Is there any use case where such double extensions is somehow useful?

[ruicruz]

Hi,

If you notice, you can run file named something.php.kkk or .uuu or another not usual extention.

This is due to defaut apache config on httpd.conf, as it uses:

<Directory />
suPHP_AddHandler application/x-httpd-php5
</Directory>

Instead of:

<FilesMatch \.php$>
suPHP_AddHandler application/x-httpd-php5
</FilesMatch>

This could be dangerous if you have a less experience client running strange scripts, and could improvide security.

This is at this time, a must-have feature.



Rui

[Infopro]

@ruicruz, I've merged your thread into this one, as you can see they are related.

[cPanelDavidG]

I'm a bit confused here, can someone enlighten me to the problem this proposed solution would be solving?

[Branko]

Hi David,

well, in the first place it would limit the php script execution to only valid defined extensions

As stated in my first post

current config is defining it as:

Code:

AddType application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml

With this setup you can have php script named script.php and it will work as php code
You can also have script.php.anything and it will still execute as php code (if seccond extension is not conflicting with other handlers)

With this setup:

Code:

<FilesMatch "\.(php5|php4|php|php3|php2|phtml)$">
SetHandler application/x-httpd-php5
</FilesMatch>

You are actually limiting script filenames to end with defined extensions.

Also as stated in my first post, and as ruicruz stated in his.

Over the time we will se malicious code uploaded in client accounts via less secure client scripts not doing proper file extension verification. I my self have witnessed a couple of code injections like this.

While I do understand that this is not the issue with cPanel and/or Apache/php stack, but the issue is really in bad client codings. It would be a nice feature to limit these kind of attacks by a simple default configuration change in cPanel.

Hope this helps