The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

apache problem with double extensions

Discussion in 'EasyApache' started by ntwaddel, Mar 15, 2006.

  1. ntwaddel

    ntwaddel Well-Known Member

    Joined:
    Nov 3, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Templeton, CA
    Im having problems with apache running scripts as php that are not .php extensions

    http://ws01.webspacesolutions.com/phpinfo.php.rar

    for example

    i googled it, and it appears to be a mod_mime problem, but i cant find any fix. Someone exploited a coppermine gallery this way by uploading a file.php.rar file and executing it
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Are you saying that Apache is executing that URL as if it were a PHP script?

    I tried visiting that URL and my browser tried to download what it believed to be a .rar archive.

    Could you clarify what the case is?
     
  3. ntwaddel

    ntwaddel Well-Known Member

    Joined:
    Nov 3, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Templeton, CA
  4. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I see what you mean. I tried the same thing myself and got the same results.

    From the filenames I tried, it looks like Apache interprets the file type as being whatever is after the first dot and before the second dot, if present.

    e.g.

    www.example.com/bob.html.random -> treated as HTML
    www.example.com/bob.php.random -> treated as PHP
    www.example.com/bob.py.random -> treated as Python

    I can't say for sure if this is a bug as I'm not sure what Apache is designed to do in such situations, however from the point of view of common sense it seems like Apache does not do what you would expect and therefore it is a bug, or at least a misconfiguration.

    I might send an email over to cPanel support and see what they have to say.
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    This is also a potential security issue for sites that have their php include files named like this : *.inc.php, which is not uncommon.

    Or is this treated as php? (didn't check)
     
    #5 jamesbond, Mar 16, 2006
    Last edited: Mar 16, 2006
  6. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Now I think about it, this doesn't really appear to be a problem.

    In the case of Coppermine being exploited, there would be two possible solutions.

    Preferably, the producers of Coppermine should really fix the product so that it can't be exploited in such a fashion. Coppermine is a gallery and so users shouldn't be uploading anything other than images - it is possible to check the mime type of uploaded files and reject those that aren't deemed acceptable. This would be the ideal solution. Perhaps you should drop them a line.

    Alternatively, you could implement a mod_security rule to reject such requests.
     
Loading...

Share This Page