The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 22, 2019, 05:39:48 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: Security Check  (Read 2324 times)
JasonD
Expert
****
Offline Offline

Posts: 100


View Profile
« on: October 05, 2007, 02:30:59 AM »

I was going through some old code of mine and remembered an old Apache feature bug.

I tried it on a couple of my servers and found I was still able to use it and wonder if you would mind checking to make sure you are safe | vulnerable.

Apache, when asked to render a page with an extension it doesn't know about will look at the name of the file and if there is an extension (for want of a better word) earlier in the file name will render the file according to the rules it has for that earlier extension.

Example.

Code:
<? phpinfo(); ?>

place a file with the above contents on your server but call it something like.

Code:
thisisatest.php.gobbledegook

If you see the standard phpinfo page then your Apache installation is susceptable.

This in itself isn't a major cause for concern but if you allow file uploads of any kind, you will normally check what can be uploaded and reject certain file extensions. This will generally bypass those restrictions and if the location of file uploads is known in your application the script can be accessed and obviously everything that cuold be done with that probably will be.

N.B. This is FAR from a new exploit but I am curious (as I found I was vuln) if any of you guys are. Not because I want to root you but I am interested at seeing how widespread this problem still is "in the wild" so to speak!
Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: October 05, 2007, 06:35:06 AM »

It does still work JD, although not for the reason I think you're saying - I think that the regex Apache uses to figure out what to do sees the ".php" and goes with it. If, for example, you named it test.html.test then it would return it as HTML (I just tested it). It does not work if "php" is simply in the name - test-php.test does not process it as php.

So I'd wager that this is not a patched bug... but rather a known "Be Careful" because it would work.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!