The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

apache parsing non php or cgi or pl scripts

Discussion in 'EasyApache' started by dchepishev, Jun 8, 2006.

  1. dchepishev

    dchepishev Well-Known Member
    PartnerNOC

    Joined:
    Oct 19, 2005
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Hi all,
    Yesterday one of my users was hacked very easy. He has picture gallery on his site. The gallery is open for anyone to register. The evil guy registered and uploaded a php shell with name:

    ly.php.rar

    And the stupid apache is parsing this as php file. It parses ahything like: something.php.aaa.bbb.ccc.ddd as php file. It is absolutely the same with .pl and .cgi scripts.

    Does anyone of you guys knows how to disable this. I figured one way with mod_security and the following regex: SecFilterSelective THE_REQUEST ".*\.php\..*" . However I am interested if there is any other way to disable this.
    My config is:
    apache 1.3
    php 4.4.2 as CGI
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You'll have to upgrade your client's Php script to the latest release and/or implement a security patch released by the author. You also need to clean up your server from the files downloaded and installed on your server. In addition to Mod Security, there are other things you can do to harden and secure your server.
     
  3. dchepishev

    dchepishev Well-Known Member
    PartnerNOC

    Joined:
    Oct 19, 2005
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    I am not sure you understand me correct. I am asking how this behavior can be disabled, not what to do now. This is not a bug in the php scripts. Actually any application which uploads files in the web tree will cause such problems. This is not a problem of the app. Apache is not supposed to handle files not ending with .php as php files.

    I know what to do, I want to know how can I stop this if possible ;).

    In apache 2.0.30 and up I think this should do the job: AcceptPathInfo Off
    But there is no such parameter for apache 1.3
     
Loading...

Share This Page