Debian Bug report logs -
#691413
libapache2-mod-php5: php files without php extension executed by default
Reported by: Pierre Colombier <pcdwarf@pcdwarf.net>
Date: Thu, 25 Oct 2012 12:51:02 UTC
Severity: serious
Merged with 589384
Found in version mime-support/3.44-1
Fixed in version mime-support/3.52-1
Done: Brian White <bcwhite@pobox.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#691413; Package libapache2-mod-php5.
(Thu, 25 Oct 2012 12:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Pierre Colombier <pcdwarf@pcdwarf.net>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 25 Oct 2012 12:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache2-mod-php5
Version: 5.3.3-7+squeeze14
Severity: normal
When you have a file with a name like
"file.php.something",
Apache considers it is a php file and executes it even if its name
does not end with .php or a php-related extension
If 'something' is a valid extension of another mimetype
like .jpeg it won't be executed.
This leads to some security issues with machines
where files can be uploaded. For exemple il somewone
can upload a file named nasty.php.hack on a web server
and then access it, he will gain acces to this server with the
same rights as apache.
Of course this can be prevented by checking the filenames
on upload but it is non obvious and the default behaviour
is sufficiently surprising not to be expected.
-- System Information:
Debian Release: 6.0.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-php5 depends on:
ii apache2-mpm-prefor 2.2.16-6+squeeze8 Apache HTTP Server - traditional n
ii apache2.2-common 2.2.16-6+squeeze8 Apache HTTP Server common files
ii libbz2-1.0 1.0.5-6+squeeze1 high-quality block-sorting file co
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-4stable1 common error description library
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries
ii libmagic1 5.04-5+squeeze2 File type determination library us
ii libonig2 5.9.1-1 Oniguruma regular expressions libr
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libqdbm14 1.8.77-4 QDBM Database Libraries [runtime]
ii libssl0.9.8 0.9.8o-4squeeze13 SSL shared libraries
ii libxml2 2.7.8.dfsg-2+squeeze5 GNOME XML library
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii php5-common 5.3.3-7+squeeze14 Common files for packages built fr
ii tzdata 2012g-0squeeze1 time zone and daylight-saving time
ii ucf 3.0025+nmu1 Update Configuration File: preserv
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages libapache2-mod-php5 recommends:
ii php5-cli 5.3.3-7+squeeze14 command-line interpreter for the p
Versions of packages libapache2-mod-php5 suggests:
ii php-pear 5.3.3-7+squeeze14 PEAR - PHP Extension and Applicati
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#691413; Package libapache2-mod-php5.
(Thu, 25 Oct 2012 13:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 25 Oct 2012 13:57:08 GMT) (full text, mbox, link).
Message #10 received at 691413@bugs.debian.org (full text, mbox, reply):
reassign 691413 mime-support
affects 691413 +php5
affects 589384 +php5
forcemerge 589384 691413
thank you
Hi,
yes, it's a know problem and it has been fixed in wheezy. There's no
immediate remedy in squeeze which doesn't include breaking existing
installations.
Ondrej
On Thu, Oct 25, 2012 at 2:39 PM, Pierre Colombier <pcdwarf@pcdwarf.net> wrote:
> Package: libapache2-mod-php5
> Version: 5.3.3-7+squeeze14
> Severity: normal
>
> When you have a file with a name like
> "file.php.something",
> Apache considers it is a php file and executes it even if its name
> does not end with .php or a php-related extension
> If 'something' is a valid extension of another mimetype
> like .jpeg it won't be executed.
>
> This leads to some security issues with machines
> where files can be uploaded. For exemple il somewone
> can upload a file named nasty.php.hack on a web server
> and then access it, he will gain acces to this server with the
> same rights as apache.
> Of course this can be prevented by checking the filenames
> on upload but it is non obvious and the default behaviour
> is sufficiently surprising not to be expected.
>
>
>
>
>
> -- System Information:
> Debian Release: 6.0.6
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
> Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages libapache2-mod-php5 depends on:
> ii apache2-mpm-prefor 2.2.16-6+squeeze8 Apache HTTP Server - traditional n
> ii apache2.2-common 2.2.16-6+squeeze8 Apache HTTP Server common files
> ii libbz2-1.0 1.0.5-6+squeeze1 high-quality block-sorting file co
> ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
> ii libcomerr2 1.41.12-4stable1 common error description library
> ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
> ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k
> ii libk5crypto3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - C
> ii libkrb5-3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries
> ii libmagic1 5.04-5+squeeze2 File type determination library us
> ii libonig2 5.9.1-1 Oniguruma regular expressions libr
> ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
> ii libqdbm14 1.8.77-4 QDBM Database Libraries [runtime]
> ii libssl0.9.8 0.9.8o-4squeeze13 SSL shared libraries
> ii libxml2 2.7.8.dfsg-2+squeeze5 GNOME XML library
> ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
> ii php5-common 5.3.3-7+squeeze14 Common files for packages built fr
> ii tzdata 2012g-0squeeze1 time zone and daylight-saving time
> ii ucf 3.0025+nmu1 Update Configuration File: preserv
> ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
>
> Versions of packages libapache2-mod-php5 recommends:
> ii php5-cli 5.3.3-7+squeeze14 command-line interpreter for the p
>
> Versions of packages libapache2-mod-php5 suggests:
> ii php-pear 5.3.3-7+squeeze14 PEAR - PHP Extension and Applicati
>
> -- no debconf information
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej@sury.org>
No longer marked as found in versions php5/5.3.3-7+squeeze14.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 25 Oct 2012 13:57:11 GMT) (full text, mbox, link).
Added indication that 691413 affects php5
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 25 Oct 2012 13:57:11 GMT) (full text, mbox, link).
Severity set to 'serious' from 'normal'
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 25 Oct 2012 13:57:12 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 25 Oct 2012 13:57:13 GMT) (full text, mbox, link).
Notification sent
to Pierre Colombier <pcdwarf@pcdwarf.net>:
Bug acknowledged by developer.
(Thu, 25 Oct 2012 13:57:13 GMT) (full text, mbox, link).
Marked as fixed in versions mime-support/3.52-1.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 25 Oct 2012 13:57:13 GMT) (full text, mbox, link).
Marked as found in versions mime-support/3.44-1.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 25 Oct 2012 13:57:14 GMT) (full text, mbox, link).
Merged 589384 691413
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 25 Oct 2012 13:57:14 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 May 2013 07:31:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 02:56:41 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
