next »

[JasonD]

I was going through some old code of mine and remembered an old Apache feature bug.

I tried it on a couple of my servers and found I was still able to use it and wonder if you would mind checking to make sure you are safe | vulnerable.

Apache, when asked to render a page with an extension it doesn't know about will look at the name of the file and if there is an extension (for want of a better word) earlier in the file name will render the file according to the rules it has for that earlier extension.

Example.

Code:

<? phpinfo(); ?>

place a file with the above contents on your server but call it something like.

Code:

thisisatest.php.gobbledegook

If you see the standard phpinfo page then your Apache installation is susceptable.

This in itself isn't a major cause for concern but if you allow file uploads of any kind, you will normally check what can be uploaded and reject certain file extensions. This will generally bypass those restrictions and if the location of file uploads is known in your application the script can be accessed and obviously everything that cuold be done with that probably will be.

N.B. This is FAR from a new exploit but I am curious (as I found I was vuln) if any of you guys are. Not because I want to root you but I am interested at seeing how widespread this problem still is "in the wild" so to speak!

[perkiset]

It does still work JD, although not for the reason I think you're saying - I think that the regex Apache uses to figure out what to do sees the ".php" and goes with it. If, for example, you named it test.html.test then it would return it as HTML (I just tested it). It does not work if "php" is simply in the name - test-php.test does not process it as php.

So I'd wager that this is not a patched bug... but rather a known "Be Careful" because it would work.