SOLVED [CPANEL-25339] .php.txt files are executed by PHP in cPanel 78

[WhiteDog]

Hello,

Please observe this scenario:
- Create a file called index.txt and one called index.php.txt
- put in both code to show e.g. phpinfo()

Expected result:
- Both files show your PHP code in text.

In my case:
- index.txt show the code
- index.php.txt is being executed

I'm using cPanel 78.0.3 with PHP 7.2.14 (suphp). Also tested with other PHP versions and PHP-FPM (same result). I can't replicate on another server though (all on 76).

Not sure if it's me, EasyApache or PHP that is causing this. Only noticed today. In either case this is not good as .txt files are probably ignored by a lot of security products. A .php.txt files is imho a .txt file.

Backstory: I have a WHM plugin that (to update) downloads the file index.php.txt. I got reports today that this is not working and I see that the "executed" version of the script is downloaded. I have not touched this configuration for a long time aside from cPanel and EA4 updates.

Anyone who can replicate this or has an idea what could cause this?

 

[rpvw]

Do you have any AddType entries in your .htaccess ?

eg something like

AddType application/x-httpd-php .txt

that would allow a txt file to be run as PHP

 

[WhiteDog]

I have not, and then the index.txt should also be executed. Regular .txt files are not executed.
I also tried explicitly adding a MIME type (cPanel) and AddType for ".php.txt" but with the same result.
The issue can be replicated on multiple accounts on the cPanel 78 server.

Edit:
You can also call the file test.txt.php.txt.txt.txt OR test.php.txt.txt.txt. As soon as there is ".php" in there it's executed as PHP

Edit 2:
I worked around this by adding "AddHandler plain/text php" to the .htaccess of my download directory. Still, it's not normal for the (assuming Apache) MIME type detection to see these files as php

 

[rpvw]

Hi @WhiteDog
Sorry to have been so long getting back to you.
I have tried all the examples you have given, and I cannot get the php to execute - every test case just returns the code in the file as text. (All test files were written to have 0644 permissions, and username/username Owner/Group)

Server specs:
CloudLinux Server release 6.10
cpanel:11.76.0.18
Server version: Apache/2.4.37
ea-php-cli Copyright 2017 cPanel, Inc.
ALT-PHP 7.2.14 using lsapi handler
mysql Ver 15.1 Distrib 10.1.37-MariaDB, for Linux (x86_64) using readline 5.1

 

[WhiteDog]

I'm on Centos 7.6. In the meantime I have:
- Upgraded another server to cPanel 78
- Set the exact same Apache version and Apache modules
- Compared global Apache settings
- ... and was not able to replicate the issue

Nothing abnormal in my httpd.conf and mime.types either.

I did find a server wide "fix", by adding "AddHandler text/plain txt" to pre_virtualhost_global.conf
But, guess what, same issue with other mime types: index.php.jpg, index.php.xml, ... all execute PHP

 

[cPanelMichael]

Hello @WhiteDog,

I've reproduced this on cPanel & WHM version 78 and opened internal case CPANEL-25339 to report the issue. I'll monitor this case and update this thread with more information as it becomes available.

Thank you.

 

[cPanelMichael]

Hello,

To update, this was fixed as part of the most recent EA4 maintenance release:

ZC-4742: Install configuration to prevent non-PHP files from being executed by PHP

You can manually update to the latest EA4 RPMs using the "yum update" command if automatic updates are disabled on your system.

Thank you.