Package: libapache2-mod-php5; Maintainer for libapache2-mod-php5 is (unknown);
Reported by: Narendra Bhati <narendra.infosec@gmail.com>
Date: Tue, 1 Sep 2015 15:21:02 UTC
Severity: important
Found in version php5/5.4.34-0+deb7u1
Done: Ondřej Surý <ondrej@sury.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, narendra.infosec@gmail.com, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#797686; Package libapache2-mod-php5.
(Tue, 01 Sep 2015 15:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Narendra Bhati <narendra.infosec@gmail.com>:
New Bug report received and forwarded. Copy sent to narendra.infosec@gmail.com, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Tue, 01 Sep 2015 15:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache2-mod-php5
Version: 5.4.34-0+deb7u1
Severity: important
Dear Maintainer,
*** Please consider answering these questions, where appropriate ***
* What led up to the situation
Hello Debian Security Team.
Just observed a issue when one of my Arbitrary File Upload Vulnerability got fixed.
Here i am explaining you a scenario.
Many developers Prevent File Upload Vulnerability By Blocking "['php', 'php3', 'php4', 'inc']" So most of developers do the same for their application to prevent this.
But the better solution is to include this extensions also "php5,pht,phtml"
Observation: now i had observe that most of Linux Debian are defaultly set to executing "phtml" as "php" which look dangerous because most of Developer only use "php,php3,php4,inc".
So if any developer miss the "phtml" to add in black list file upload and if the Linux Debian is set to Execute "phtml" as "php" by default then the whole server can be compromise by the attacker.
For POC i had test Latest Kali Linux 2.0 which allow user to execute "phtml" as "php" by default.
The default configuration for many debians leads to the problem. following component of Debian:
% dpkg-query -S /etc/apache2/mods-available/php5.conf
libapache2-mod-php5: /etc/apache2/mods-available/php5.conf
https://packages.debian.org/jessie/libapache2-mod-php5
* What exactly did you do (or not do) that was effective (or
ineffective)?
I had create a backdoor like "backdoor.phtml" and try to execute with Apache which got successfully execute. By using this user can perform command exexecution
* What was the outcome of this action?
Many developers Prevent File Upload Vulnerability By Blocking "['php', 'php3', 'php4', 'inc']" So most of developers do the same for their application to prevent this.
But the better solution is to include this extensions also "php5,pht,phtml"
if the developer forgot to add these extentions also , and server is configured to execute "phtml" as "php" default then its can lead to server compromisation
* What outcome did you expect instead?
The php extentions should be disabled by default just like "phtml" if its required then can enable it manually. so he will aware that "phtml" is also enabled on the web server
All and all debians should come with all extra php extions disabled by default if some one needs the "phtml" then he can enable manually.
-- System Information:
Debian Release: Kali Linux 1.0.9
Architecture: i386 (i686)
Kernel: Linux 3.14-kali1-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-php5 depends on:
ii apache2-mpm-prefork 2.2.22-13+deb7u3
ii apache2.2-common 2.2.22-13+deb7u3
ii libbz2-1.0 1.0.6-4
ii libc6 2.13-38+deb7u6
ii libcomerr2 1.42.5-1.1
ii libdb5.1 5.1.29-5
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2
ii libk5crypto3 1.10.1+dfsg-5+deb7u2
ii libkrb5-3 1.10.1+dfsg-5+deb7u2
ii libmagic1 5.11-2+deb7u5
ii libonig2 5.9.1-1
ii libpcre3 1:8.30-5
ii libqdbm14 1.8.78-2
ii libssl1.0.0 1.0.1e-2+deb7u13
ii libstdc++6 4.7.2-5
ii libxml2 2.8.0+dfsg1-7+wheezy2
ii mime-support 3.52-1
ii php5-common 5.4.34-0+deb7u1
ii tzdata 2014h-0wheezy1
ii ucf 3.0025+nmu3
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages libapache2-mod-php5 recommends:
ii php5-cli 5.4.34-0+deb7u1
Versions of packages libapache2-mod-php5 suggests:
pn php-pear <none>
-- no debconf information
Reply sent
to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility.
(Tue, 01 Sep 2015 16:45:14 GMT) (full text, mbox, link).
Notification sent
to Narendra Bhati <narendra.infosec@gmail.com>:
Bug acknowledged by developer.
(Tue, 01 Sep 2015 16:45:14 GMT) (full text, mbox, link).
Message #10 received at 797686-done@bugs.debian.org (full text, mbox, reply):
Control: notfound -1 php5/5.4.34-0+deb7u1 Hi Narenda, if you allow execution in a place where people could upload files, you are already screwed. You really have to disable the PHP engine in the directories where anybody could upload 3rd party scripts, that's why we have php_engine off directive (f.e.). Also I consider this as non-issue as they are plethora of other file extensions that might be get executed and the developers would have no idea about them. I could create plenty of PoCs like this on a server that allow execution on user uploaded scripts. Ondrej On Tue, Sep 1, 2015, at 17:20, Narendra Bhati wrote: > Package: libapache2-mod-php5 > Version: 5.4.34-0+deb7u1 > Severity: important > > Dear Maintainer, > *** Please consider answering these questions, where appropriate *** > > * What led up to the situation > > Hello Debian Security Team. > > Just observed a issue when one of my Arbitrary File Upload Vulnerability > got fixed. > > Here i am explaining you a scenario. > > Many developers Prevent File Upload Vulnerability By Blocking "['php', > 'php3', 'php4', 'inc']" So most of developers do the same for their > application to prevent this. > But the better solution is to include this extensions also > "php5,pht,phtml" > > Observation: now i had observe that most of Linux Debian are defaultly > set to executing "phtml" as "php" which look dangerous because most of > Developer only use "php,php3,php4,inc". > So if any developer miss the "phtml" to add in black list file upload and > if the Linux Debian is set to Execute "phtml" as "php" by default then > the whole server can be compromise by the attacker. > > For POC i had test Latest Kali Linux 2.0 which allow user to execute > "phtml" as "php" by default. > > The default configuration for many debians leads to the problem. > following component of Debian: > > % dpkg-query -S /etc/apache2/mods-available/php5.conf > libapache2-mod-php5: /etc/apache2/mods-available/php5.conf > > https://packages.debian.org/jessie/libapache2-mod-php5 > > * What exactly did you do (or not do) that was effective (or > ineffective)? > I had create a backdoor like "backdoor.phtml" and try to execute with > Apache which got successfully execute. By using this user can perform > command exexecution > > * What was the outcome of this action? > > Many developers Prevent File Upload Vulnerability By Blocking "['php', > 'php3', 'php4', 'inc']" So most of developers do the same for their > application to prevent this. > But the better solution is to include this extensions also > "php5,pht,phtml" > if the developer forgot to add these extentions also , and server is > configured to execute "phtml" as "php" default then its can lead to > server compromisation > * What outcome did you expect instead? > The php extentions should be disabled by default just like "phtml" if its > required then can enable it manually. so he will aware that "phtml" is > also enabled on the web server > All and all debians should come with all extra php extions disabled > by default if some one needs the "phtml" then he can enable manually. > > > -- System Information: > Debian Release: Kali Linux 1.0.9 > Architecture: i386 (i686) > > Kernel: Linux 3.14-kali1-486 > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages libapache2-mod-php5 depends on: > ii apache2-mpm-prefork 2.2.22-13+deb7u3 > ii apache2.2-common 2.2.22-13+deb7u3 > ii libbz2-1.0 1.0.6-4 > ii libc6 2.13-38+deb7u6 > ii libcomerr2 1.42.5-1.1 > ii libdb5.1 5.1.29-5 > ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2 > ii libk5crypto3 1.10.1+dfsg-5+deb7u2 > ii libkrb5-3 1.10.1+dfsg-5+deb7u2 > ii libmagic1 5.11-2+deb7u5 > ii libonig2 5.9.1-1 > ii libpcre3 1:8.30-5 > ii libqdbm14 1.8.78-2 > ii libssl1.0.0 1.0.1e-2+deb7u13 > ii libstdc++6 4.7.2-5 > ii libxml2 2.8.0+dfsg1-7+wheezy2 > ii mime-support 3.52-1 > ii php5-common 5.4.34-0+deb7u1 > ii tzdata 2014h-0wheezy1 > ii ucf 3.0025+nmu3 > ii zlib1g 1:1.2.7.dfsg-13 > > Versions of packages libapache2-mod-php5 recommends: > ii php5-cli 5.4.34-0+deb7u1 > > Versions of packages libapache2-mod-php5 suggests: > pn php-pear <none> > > -- no debconf information > > _______________________________________________ > pkg-php-maint mailing list > pkg-php-maint@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint -- Ondřej Surý <ondrej@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Message #11 received at 797686-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Ondřej
I understand your concern. But my i was pointing out in a different
scenario. Like many Web Application lets take an exmaple of Wolf CMS
They have made some changes on invalid/malicious file upload extensions as
below
+ if (in_array($ext, ['php', 'php3', 'php4', 'inc'])) {
+ Flash::set('error', __('Not allowed to upload files with
extension :ext', $ext));
+ redirect(get_url('plugin/file_manager/browse/'));
Now as you can see here user can upload files and can access them
directly.Now here developer has not included "phtml" as a part of
invalid/malicious
file and if the web server Debian Configuration is allowing user to execute
"phtml" as "php" then finish.Now as an attacker we can try to upload
malicious file with different extensions so according to debian
configuration if server is set to execute such type of extensions..
Then Server will be compromise.
Now one of your point is you can create many other scripts which can be
execute ! this is right. But without proper configuration no
other extension will execute as Server Side Script.
so my final concern is - This type of configuration should be applied as
default when we talk about security.
waiting for your reply
On Tue, Sep 1, 2015 at 10:14 PM, Ondřej Surý <ondrej@sury.org> wrote:
> Control: notfound -1 php5/5.4.34-0+deb7u1
>
> Hi Narenda,
>
> if you allow execution in a place where people could upload files, you
> are already screwed. You really have to disable the PHP engine in the
> directories where anybody could upload 3rd party scripts, that's why we
> have php_engine off directive (f.e.).
>
> Also I consider this as non-issue as they are plethora of other file
> extensions that might be get executed and the developers would have no
> idea about them. I could create plenty of PoCs like this on a server
> that allow execution on user uploaded scripts.
>
> Ondrej
>
> On Tue, Sep 1, 2015, at 17:20, Narendra Bhati wrote:
> > Package: libapache2-mod-php5
> > Version: 5.4.34-0+deb7u1
> > Severity: important
> >
> > Dear Maintainer,
> > *** Please consider answering these questions, where appropriate ***
> >
> > * What led up to the situation
> >
> > Hello Debian Security Team.
> >
> > Just observed a issue when one of my Arbitrary File Upload Vulnerability
> > got fixed.
> >
> > Here i am explaining you a scenario.
> >
> > Many developers Prevent File Upload Vulnerability By Blocking "['php',
> > 'php3', 'php4', 'inc']" So most of developers do the same for their
> > application to prevent this.
> > But the better solution is to include this extensions also
> > "php5,pht,phtml"
> >
> > Observation: now i had observe that most of Linux Debian are defaultly
> > set to executing "phtml" as "php" which look dangerous because most of
> > Developer only use "php,php3,php4,inc".
> > So if any developer miss the "phtml" to add in black list file upload and
> > if the Linux Debian is set to Execute "phtml" as "php" by default then
> > the whole server can be compromise by the attacker.
> >
> > For POC i had test Latest Kali Linux 2.0 which allow user to execute
> > "phtml" as "php" by default.
> >
> > The default configuration for many debians leads to the problem.
> > following component of Debian:
> >
> > % dpkg-query -S /etc/apache2/mods-available/php5.conf
> > libapache2-mod-php5: /etc/apache2/mods-available/php5.conf
> >
> > https://packages.debian.org/jessie/libapache2-mod-php5
> >
> > * What exactly did you do (or not do) that was effective (or
> > ineffective)?
> > I had create a backdoor like "backdoor.phtml" and try to execute with
> > Apache which got successfully execute. By using this user can perform
> > command exexecution
> >
> > * What was the outcome of this action?
> >
> > Many developers Prevent File Upload Vulnerability By Blocking "['php',
> > 'php3', 'php4', 'inc']" So most of developers do the same for their
> > application to prevent this.
> > But the better solution is to include this extensions also
> > "php5,pht,phtml"
> > if the developer forgot to add these extentions also , and server is
> > configured to execute "phtml" as "php" default then its can lead to
> > server compromisation
> > * What outcome did you expect instead?
> > The php extentions should be disabled by default just like "phtml" if its
> > required then can enable it manually. so he will aware that "phtml" is
> > also enabled on the web server
> > All and all debians should come with all extra php extions disabled
> > by default if some one needs the "phtml" then he can enable manually.
> >
> >
> > -- System Information:
> > Debian Release: Kali Linux 1.0.9
> > Architecture: i386 (i686)
> >
> > Kernel: Linux 3.14-kali1-486
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> >
> > Versions of packages libapache2-mod-php5 depends on:
> > ii apache2-mpm-prefork 2.2.22-13+deb7u3
> > ii apache2.2-common 2.2.22-13+deb7u3
> > ii libbz2-1.0 1.0.6-4
> > ii libc6 2.13-38+deb7u6
> > ii libcomerr2 1.42.5-1.1
> > ii libdb5.1 5.1.29-5
> > ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2
> > ii libk5crypto3 1.10.1+dfsg-5+deb7u2
> > ii libkrb5-3 1.10.1+dfsg-5+deb7u2
> > ii libmagic1 5.11-2+deb7u5
> > ii libonig2 5.9.1-1
> > ii libpcre3 1:8.30-5
> > ii libqdbm14 1.8.78-2
> > ii libssl1.0.0 1.0.1e-2+deb7u13
> > ii libstdc++6 4.7.2-5
> > ii libxml2 2.8.0+dfsg1-7+wheezy2
> > ii mime-support 3.52-1
> > ii php5-common 5.4.34-0+deb7u1
> > ii tzdata 2014h-0wheezy1
> > ii ucf 3.0025+nmu3
> > ii zlib1g 1:1.2.7.dfsg-13
> >
> > Versions of packages libapache2-mod-php5 recommends:
> > ii php5-cli 5.4.34-0+deb7u1
> >
> > Versions of packages libapache2-mod-php5 suggests:
> > pn php-pear <none>
> >
> > -- no debconf information
> >
> > _______________________________________________
> > pkg-php-maint mailing list
> > pkg-php-maint@lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>
>
> --
> Ondřej Surý <ondrej@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>
--
*Narendra Bhati "CEH" **( Facebook
<http://www.facebook.com/narendradewsoft> , Twitter
<http://www.twitter.com/NarendraBhatiB> , LinkedIn
<https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*
*Security Analyst - IT Risk & Security Management Services*
Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
Pune: 411004 |
*======================================================================*
[Message part 2 (text/html, inline)]
Message #12 received at 797686-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi again,
it's Wolf CMS that needs to be fixed to no rely on false security that
depends on file extensions.
Cheers, Ondrej
On Tue, Sep 1, 2015, at 19:00, Narendra Bhati wrote:
> Hello Ondřej
>
> I understand your concern. But my i was pointing out in a different
> scenario. Like many Web Application lets take an exmaple of Wolf CMS
>
> They have made some changes on invalid/malicious file upload
> extensions as below
>
> + if (in_array($ext, ['php', 'php3', 'php4', 'inc'])) { +
> Flash::set('error', __('Not allowed to upload files with extension
> :ext', $ext)); +
> redirect(get_url('plugin/file_manager/browse/'));
>
> Now as you can see here user can upload files and can access them
> directly.Now here developer has not included "phtml" as a part of
> invalid/malicious file and if the web server Debian Configuration is
> allowing user to execute "phtml" as "php" then finish.Now as an
> attacker we can try to upload malicious file with different extensions
> so according to debian configuration if server is set to execute such
> type of extensions.. Then Server will be compromise.
>
> Now one of your point is you can create many other scripts which can
> be execute ! this is right. But without proper configuration no other
> extension will execute as Server Side Script.
>
> so my final concern is - This type of configuration should be applied
> as default when we talk about security.
>
> waiting for your reply
>
> On Tue, Sep 1, 2015 at 10:14 PM, Ondřej Surý <ondrej@sury.org> wrote:
>> Control: notfound -1 php5/5.4.34-0+deb7u1
>>
>>
Hi Narenda,
>>
>>
if you allow execution in a place where people could upload files, you
>>
are already screwed. You really have to disable the PHP engine in the
>>
directories where anybody could upload 3rd party scripts, that's why we
>>
have php_engine off directive (f.e.).
>>
>>
Also I consider this as non-issue as they are plethora of other file
>>
extensions that might be get executed and the developers would have no
>>
idea about them. I could create plenty of PoCs like this on a server
>>
that allow execution on user uploaded scripts.
>>
>>
Ondrej
>>
>>
On Tue, Sep 1, 2015, at 17:20, Narendra Bhati wrote:
>>
> Package: libapache2-mod-php5
>>
> Version: 5.4.34-0+deb7u1
>>
> Severity: important
>>
>
>>
> Dear Maintainer,
>>
> *** Please consider answering these questions, where appropriate ***
>>
>
>>
>* What led up to the situation
>>
>
>>
>Hello Debian Security Team.
>>
>
>>
> Just observed a issue when one of my Arbitrary File Upload
> Vulnerability
>>
> got fixed.
>>
>
>>
> Here i am explaining you a scenario.
>>
>
>>
> Many developers Prevent File Upload Vulnerability By Blocking "['php',
>>
> 'php3', 'php4', 'inc']" So most of developers do the same for their
>>
> application to prevent this.
>>
> But the better solution is to include this extensions also
>>
> "php5,pht,phtml"
>>
>
>>
> Observation: now i had observe that most of Linux Debian are defaultly
>>
> set to executing "phtml" as "php" which look dangerous because most of
>>
> Developer only use "php,php3,php4,inc".
>>
> So if any developer miss the "phtml" to add in black list file
> upload and
>>
> if the Linux Debian is set to Execute "phtml" as "php" by default then
>>
> the whole server can be compromise by the attacker.
>>
>
>>
> For POC i had test Latest Kali Linux 2.0 which allow user to execute
>>
> "phtml" as "php" by default.
>>
>
>>
> The default configuration for many debians leads to the problem.
>>
> following component of Debian:
>>
>
>>
> % dpkg-query -S /etc/apache2/mods-available/php5.conf
>>
> libapache2-mod-php5: /etc/apache2/mods-available/php5.conf
>>
>
>>
> https://packages.debian.org/jessie/libapache2-mod-php5
>>
>
>>
>* What exactly did you do (or not do) that was effective (or
>>
>ineffective)?
>>
> I had create a backdoor like "backdoor.phtml" and try to execute with
>>
> Apache which got successfully execute. By using this user can perform
>>
> command exexecution
>>
>
>>
>* What was the outcome of this action?
>>
>
>>
> Many developers Prevent File Upload Vulnerability By Blocking "['php',
>>
> 'php3', 'php4', 'inc']" So most of developers do the same for their
>>
> application to prevent this.
>>
> But the better solution is to include this extensions also
>>
> "php5,pht,phtml"
>>
> if the developer forgot to add these extentions also , and server is
>>
> configured to execute "phtml" as "php" default then its can lead to
>>
> server compromisation
>>
>* What outcome did you expect instead?
>>
> The php extentions should be disabled by default just like
> "phtml" if its
>>
> required then can enable it manually. so he will aware that "phtml" is
>>
> also enabled on the web server
>>
>All and all debians should come with all extra php extions disabled
>>
>by default if some one needs the "phtml" then he can enable manually.
>>
>
>>
>
>>
> -- System Information:
>>
> Debian Release: Kali Linux 1.0.9
>>
> Architecture: i386 (i686)
>>
>
>>
> Kernel: Linux 3.14-kali1-486
>>
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>>
> Shell: /bin/sh linked to /bin/dash
>>
>
>>
> Versions of packages libapache2-mod-php5 depends on:
>>
> ii apache2-mpm-prefork 2.2.22-13+deb7u3
>>
> ii apache2.2-common 2.2.22-13+deb7u3
>>
> ii libbz2-1.0 1.0.6-4
>>
> ii libc6 2.13-38+deb7u6
>>
> ii libcomerr2 1.42.5-1.1
>>
> ii libdb5.1 5.1.29-5
>>
> ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2
>>
> ii libk5crypto3 1.10.1+dfsg-5+deb7u2
>>
> ii libkrb5-3 1.10.1+dfsg-5+deb7u2
>>
> ii libmagic1 5.11-2+deb7u5
>>
> ii libonig2 5.9.1-1
>>
> ii libpcre3 1:8.30-5
>>
> ii libqdbm14 1.8.78-2
>>
> ii libssl1.0.0 1.0.1e-2+deb7u13
>>
> ii libstdc++6 4.7.2-5
>>
> ii libxml2 2.8.0+dfsg1-7+wheezy2
>>
> ii mime-support 3.52-1
>>
> ii php5-common 5.4.34-0+deb7u1
>>
> ii tzdata 2014h-0wheezy1
>>
> ii ucf 3.0025+nmu3
>>
> ii zlib1g 1:1.2.7.dfsg-13
>>
>
>>
> Versions of packages libapache2-mod-php5 recommends:
>>
> ii php5-cli 5.4.34-0+deb7u1
>>
>
>>
> Versions of packages libapache2-mod-php5 suggests:
>>
> pn php-pear <none>
>>
>
>>
> -- no debconf information
>>
>
>> > _______________________________________________
>>
> pkg-php-maint mailing list
>>
> pkg-php-maint@lists.alioth.debian.org
>>
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>>
>>
>>
--
>>
Ondřej Surý <ondrej@sury.org>
>>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>
>
>
> --
> *Narendra Bhati "CEH" **( Facebook[1] , Twitter[2] , LinkedIn[3] , Personal Blog )*
> *Security Analyst - IT Risk & Security Management Services*
>
> Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
> Pune: 411004 |
>
> *======================================================================*
>
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Links:
1. http://www.facebook.com/narendradewsoft
2. http://www.twitter.com/NarendraBhatiB
3. https://www.linkedin.com/profile/view?id=115146074
[Message part 2 (text/html, inline)]
Message #13 received at 797686-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Thanks, Ondřej
BTW there are many web applications which relay on this.Actually not many
there are more then hundreds or more.
Thanks for the quick response. Nice to talk with you.
Cheers To Security (y)
On Tue, Sep 1, 2015 at 11:38 PM, Ondřej Surý <ondrej@sury.org> wrote:
> Hi again,
>
> it's Wolf CMS that needs to be fixed to no rely on false security that
> depends on file extensions.
>
> Cheers,
> Ondrej
>
> On Tue, Sep 1, 2015, at 19:00, Narendra Bhati wrote:
>
> Hello Ondřej
>
> I understand your concern. But my i was pointing out in a different
> scenario. Like many Web Application lets take an exmaple of Wolf CMS
>
> They have made some changes on invalid/malicious file upload extensions as
> below
>
> + if (in_array($ext, ['php', 'php3', 'php4', 'inc'])) {
> + Flash::set('error', __('Not allowed to upload files with
> extension :ext', $ext));
> + redirect(get_url('plugin/file_manager/browse/'));
>
> Now as you can see here user can upload files and can access them
> directly.Now here developer has not included "phtml" as a part of
> invalid/malicious
> file and if the web server Debian Configuration is allowing user to
> execute "phtml" as "php" then finish.Now as an attacker we can try to
> upload malicious file with different extensions so according to debian
> configuration if server is set to execute such type of extensions..
> Then Server will be compromise.
>
> Now one of your point is you can create many other scripts which can be
> execute ! this is right. But without proper configuration no
> other extension will execute as Server Side Script.
>
> so my final concern is - This type of configuration should be applied as
> default when we talk about security.
>
> waiting for your reply
>
> On Tue, Sep 1, 2015 at 10:14 PM, Ondřej Surý <ondrej@sury.org> wrote:
>
> Control: notfound -1 php5/5.4.34-0+deb7u1
>
> Hi Narenda,
>
> if you allow execution in a place where people could upload files, you
> are already screwed. You really have to disable the PHP engine in the
> directories where anybody could upload 3rd party scripts, that's why we
> have php_engine off directive (f.e.).
>
> Also I consider this as non-issue as they are plethora of other file
> extensions that might be get executed and the developers would have no
> idea about them. I could create plenty of PoCs like this on a server
> that allow execution on user uploaded scripts.
>
> Ondrej
>
> On Tue, Sep 1, 2015, at 17:20, Narendra Bhati wrote:
> > Package: libapache2-mod-php5
> > Version: 5.4.34-0+deb7u1
> > Severity: important
> >
> > Dear Maintainer,
> > *** Please consider answering these questions, where appropriate ***
> >
> > * What led up to the situation
> >
> > Hello Debian Security Team.
> >
> > Just observed a issue when one of my Arbitrary File Upload Vulnerability
> > got fixed.
> >
> > Here i am explaining you a scenario.
> >
> > Many developers Prevent File Upload Vulnerability By Blocking "['php',
> > 'php3', 'php4', 'inc']" So most of developers do the same for their
> > application to prevent this.
> > But the better solution is to include this extensions also
> > "php5,pht,phtml"
> >
> > Observation: now i had observe that most of Linux Debian are defaultly
> > set to executing "phtml" as "php" which look dangerous because most of
> > Developer only use "php,php3,php4,inc".
> > So if any developer miss the "phtml" to add in black list file upload and
> > if the Linux Debian is set to Execute "phtml" as "php" by default then
> > the whole server can be compromise by the attacker.
> >
> > For POC i had test Latest Kali Linux 2.0 which allow user to execute
> > "phtml" as "php" by default.
> >
> > The default configuration for many debians leads to the problem.
> > following component of Debian:
> >
> > % dpkg-query -S /etc/apache2/mods-available/php5.conf
> > libapache2-mod-php5: /etc/apache2/mods-available/php5.conf
> >
> > https://packages.debian.org/jessie/libapache2-mod-php5
> >
> > * What exactly did you do (or not do) that was effective (or
> > ineffective)?
> > I had create a backdoor like "backdoor.phtml" and try to execute with
> > Apache which got successfully execute. By using this user can perform
> > command exexecution
> >
> > * What was the outcome of this action?
> >
> > Many developers Prevent File Upload Vulnerability By Blocking "['php',
> > 'php3', 'php4', 'inc']" So most of developers do the same for their
> > application to prevent this.
> > But the better solution is to include this extensions also
> > "php5,pht,phtml"
> > if the developer forgot to add these extentions also , and server is
> > configured to execute "phtml" as "php" default then its can lead to
> > server compromisation
> > * What outcome did you expect instead?
> > The php extentions should be disabled by default just like "phtml" if its
> > required then can enable it manually. so he will aware that "phtml" is
> > also enabled on the web server
> > All and all debians should come with all extra php extions disabled
> > by default if some one needs the "phtml" then he can enable manually.
> >
> >
> > -- System Information:
> > Debian Release: Kali Linux 1.0.9
> > Architecture: i386 (i686)
> >
> > Kernel: Linux 3.14-kali1-486
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> >
> > Versions of packages libapache2-mod-php5 depends on:
> > ii apache2-mpm-prefork 2.2.22-13+deb7u3
> > ii apache2.2-common 2.2.22-13+deb7u3
> > ii libbz2-1.0 1.0.6-4
> > ii libc6 2.13-38+deb7u6
> > ii libcomerr2 1.42.5-1.1
> > ii libdb5.1 5.1.29-5
> > ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2
> > ii libk5crypto3 1.10.1+dfsg-5+deb7u2
> > ii libkrb5-3 1.10.1+dfsg-5+deb7u2
> > ii libmagic1 5.11-2+deb7u5
> > ii libonig2 5.9.1-1
> > ii libpcre3 1:8.30-5
> > ii libqdbm14 1.8.78-2
> > ii libssl1.0.0 1.0.1e-2+deb7u13
> > ii libstdc++6 4.7.2-5
> > ii libxml2 2.8.0+dfsg1-7+wheezy2
> > ii mime-support 3.52-1
> > ii php5-common 5.4.34-0+deb7u1
> > ii tzdata 2014h-0wheezy1
> > ii ucf 3.0025+nmu3
> > ii zlib1g 1:1.2.7.dfsg-13
> >
> > Versions of packages libapache2-mod-php5 recommends:
> > ii php5-cli 5.4.34-0+deb7u1
> >
> > Versions of packages libapache2-mod-php5 suggests:
> > pn php-pear <none>
> >
> > -- no debconf information
> >
> > _______________________________________________
> > pkg-php-maint mailing list
> > pkg-php-maint@lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>
>
> --
> Ondřej Surý <ondrej@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>
>
>
>
> --
> *Narendra Bhati "CEH" **( Facebook
> <http://www.facebook.com/narendradewsoft> , Twitter
> <http://www.twitter.com/NarendraBhatiB> , LinkedIn
> <https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*
> *Security Analyst - IT Risk & Security Management Services*
>
> Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
> Pune: 411004 |
>
> *======================================================================*
>
>
>
> --
> Ondřej Surý <ondrej@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>
>
>
--
*Narendra Bhati "CEH" **( Facebook
<http://www.facebook.com/narendradewsoft> , Twitter
<http://www.twitter.com/NarendraBhatiB> , LinkedIn
<https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*
*Security Analyst - IT Risk & Security Management Services*
Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
Pune: 411004 |
*======================================================================*
[Message part 2 (text/html, inline)]
Message #14 received at 797686-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Yeah, making a snarky comments always helped a discussion.
The snippet you pasted from Wolf CMS also doesn't protect against .php5
extension which is also configured by default. That's why relying on
such poor security measure could never work and only shows a poor
security design on the application side. The default PHP configuration
cannot protect against poorly coded PHP applications. Disabling .phtml
by default would do more harm than good because it would render all
webpages that still have .phtml extensions unoperable.
Also according to the same logic because Wolf CMS isn't protected
against .php5 we should disable the .php5 extension?
This needs to be fixed in the applications, so the user uploaded scripts
could never be executed directly or through some dynamic include. That's
what I would call security.
> more then hundreds or more
There's this thing called evidence, so unless you are ready to provide
evidence for such blatant claim, please calm down and don't exaggerate.
Please calm down, think about what I wrote, and don't respond if you are
still angry.
Ondrej
On Tue, Sep 1, 2015, at 20:14, Narendra Bhati wrote:
> Thanks, Ondřej
>
> BTW there are many web applications which relay on this.Actually not
> many there are more then hundreds or more. Thanks for the quick
> response. Nice to talk with you. Cheers To Security (y)
>
> On Tue, Sep 1, 2015 at 11:38 PM, Ondřej Surý <ondrej@sury.org> wrote:
>> __
>> Hi again,
>>
>> it's Wolf CMS that needs to be fixed to no rely on false security
>> that depends on file extensions.
>>
>> Cheers, Ondrej
>>
>> On Tue, Sep 1, 2015, at 19:00, Narendra Bhati wrote:
>>> Hello Ondřej
>>>
>>> I understand your concern. But my i was pointing out in a different
>>> scenario. Like many Web Application lets take an exmaple of Wolf CMS
>>>
>>> They have made some changes on invalid/malicious file upload
>>> extensions as below
>>>
>>> + if (in_array($ext, ['php', 'php3', 'php4', 'inc'])) { +
>>> Flash::set('error', __('Not allowed to upload files with extension
>>> :ext', $ext)); +
>>> redirect(get_url('plugin/file_manager/browse/'));
>>>
>>> Now as you can see here user can upload files and can access them
>>> directly.Now here developer has not included "phtml" as a part of
>>> invalid/malicious file and if the web server Debian Configuration is
>>> allowing user to execute "phtml" as "php" then finish.Now as an
>>> attacker we can try to upload malicious file with different
>>> extensions so according to debian configuration if server is set to
>>> execute such type of extensions.. Then Server will be compromise.
>>>
>>> Now one of your point is you can create many other scripts which can
>>> be execute ! this is right. But without proper configuration no
>>> other extension will execute as Server Side Script.
>>>
>>> so my final concern is - This type of configuration should be
>>> applied as default when we talk about security.
>>>
>>> waiting for your reply
>>>
>>> On Tue, Sep 1, 2015 at 10:14 PM, Ondřej Surý <ondrej@sury.org>
>>> wrote:
>>>> Control: notfound -1 php5/5.4.34-0+deb7u1
>>>>
>>>> Hi Narenda,
>>>>
>>>> if you allow execution in a place where people could upload files,
>>>> you are already screwed. You really have to disable the PHP engine
>>>> in the directories where anybody could upload 3rd party scripts,
>>>> that's why we have php_engine off directive (f.e.).
>>>>
>>>> Also I consider this as non-issue as they are plethora of other
>>>> file extensions that might be get executed and the developers would
>>>> have no idea about them. I could create plenty of PoCs like this on
>>>> a server that allow execution on user uploaded scripts.
>>>>
>>>> Ondrej
>>>>
>>>> On Tue, Sep 1, 2015, at 17:20, Narendra Bhati wrote:
>>>> > Package: libapache2-mod-php5 Version: 5.4.34-0+deb7u1 Severity:
>>>> > important
>>>> >
>>>> > Dear Maintainer, *** Please consider answering these questions,
>>>> > where appropriate ***
>>>> >
>>>> >* What led up to the situation
>>>> >
>>>> >Hello Debian Security Team.
>>>> >
>>>> > Just observed a issue when one of my Arbitrary File Upload
>>>> > Vulnerability got fixed.
>>>> >
>>>> > Here i am explaining you a scenario.
>>>> >
>>>> > Many developers Prevent File Upload Vulnerability By Blocking
>>>> > "['php', 'php3', 'php4', 'inc']" So most of developers do the
>>>> > same for their application to prevent this. But the better
>>>> > solution is to include this extensions also "php5,pht,phtml"
>>>> >
>>>> > Observation: now i had observe that most of Linux Debian are
>>>> > defaultly set to executing "phtml" as "php" which look dangerous
>>>> > because most of Developer only use "php,php3,php4,inc". So if any
>>>> > developer miss the "phtml" to add in black list file upload and
>>>> > if the Linux Debian is set to Execute "phtml" as "php" by default
>>>> > then the whole server can be compromise by the attacker.
>>>> >
>>>> > For POC i had test Latest Kali Linux 2.0 which allow user to
>>>> > execute "phtml" as "php" by default.
>>>> >
>>>> > The default configuration for many debians leads to the problem.
>>>> > following component of Debian:
>>>> >
>>>> > % dpkg-query -S /etc/apache2/mods-available/php5.conf
>>>> > libapache2-mod-php5: /etc/apache2/mods-available/php5.conf
>>>> >
>>>> > https://packages.debian.org/jessie/libapache2-mod-php5
>>>> >
>>>> >* What exactly did you do (or not do) that was effective (or
>>>> >ineffective)? I had create a backdoor like "backdoor.phtml" and
>>>> >try to execute with Apache which got successfully execute. By
>>>> >using this user can perform command exexecution
>>>> >
>>>> >* What was the outcome of this action?
>>>> >
>>>> > Many developers Prevent File Upload Vulnerability By Blocking
>>>> > "['php', 'php3', 'php4', 'inc']" So most of developers do the
>>>> > same for their application to prevent this. But the better
>>>> > solution is to include this extensions also "php5,pht,phtml" if
>>>> > the developer forgot to add these extentions also , and server is
>>>> > configured to execute "phtml" as "php" default then its can lead
>>>> > to server compromisation * What outcome did you expect
>>>> > instead? The php extentions should be disabled by default just
>>>> > like "phtml" if its required then can enable it manually. so he
>>>> > will aware that "phtml" is also enabled on the web server All
>>>> > and all debians should come with all extra php extions disabled
>>>> > by default if some one needs the "phtml" then he can enable
>>>> > manually.
>>>> >
>>>> >
>>>> > -- System Information: Debian Release: Kali Linux 1.0.9
>>>> > Architecture: i386 (i686)
>>>> >
>>>> > Kernel: Linux 3.14-kali1-486 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-
>>>> > 8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
>>>> >
>>>> > Versions of packages libapache2-mod-php5 depends on: ii apache2-mpm-
>>>> > prefork 2.2.22-13+deb7u3 ii apache2.2-common 2.2.22-
>>>> > 13+deb7u3 ii libbz2-1.0 1.0.6-4 ii libc6
>>>> > 2.13-38+deb7u6 ii libcomerr2 1.42.5-1.1 ii libdb5.1
>>>> > 5.1.29-5 ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2 ii
>>>> > libk5crypto3 1.10.1+dfsg-5+deb7u2 ii libkrb5-3
>>>> > 1.10.1+dfsg-5+deb7u2 ii libmagic1 5.11-2+deb7u5 ii
>>>> > libonig2 5.9.1-1 ii libpcre3 1:8.30-5 ii
>>>> > libqdbm14 1.8.78-2 ii libssl1.0.0 1.0.1e-
>>>> > 2+deb7u13 ii libstdc++6 4.7.2-5 ii libxml2
>>>> > 2.8.0+dfsg1-7+wheezy2 ii mime-support 3.52-1 ii php5-
>>>> > common 5.4.34-0+deb7u1 ii tzdata 2014h-
>>>> > 0wheezy1 ii ucf 3.0025+nmu3 ii zlib1g
>>>> > 1:1.2.7.dfsg-13
>>>> >
>>>> > Versions of packages libapache2-mod-php5 recommends: ii php5-cli
>>>> > 5.4.34-0+deb7u1
>>>> >
>>>> > Versions of packages libapache2-mod-php5 suggests: pn php-pear
>>>> > <none>
>>>> >
>>>> > -- no debconf information
>>>> >
>>>> > _______________________________________________
>>>> > pkg-php-maint mailing list pkg-php-maint@lists.alioth.debian.org
>>>> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>>>>
>>>>
>>>>
--
>>>>
Ondřej Surý <ondrej@sury.org>
>>>>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>>>
>>>
>>>
>>> --
>>> *Narendra Bhati "CEH" **( Facebook[1] , Twitter[2] , LinkedIn[3] , Personal Blog )*
>>> *Security Analyst - IT Risk & Security Management Services*
>>>
>>> Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
>>> Pune: 411004 |
>>>
>>> *======================================================================*
>>>
>>
>> --
>> Ondřej Surý <ondrej@sury.org>
>> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>>
>>
>
>
>
> --
> *Narendra Bhati "CEH" **( Facebook[4] , Twitter[5] , LinkedIn[6] , Personal Blog )*
> *Security Analyst - IT Risk & Security Management Services*
>
> Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
> Pune: 411004 |
>
> *======================================================================*
>
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Links:
1. http://www.facebook.com/narendradewsoft
2. http://www.twitter.com/NarendraBhatiB
3. https://www.linkedin.com/profile/view?id=115146074
4. http://www.facebook.com/narendradewsoft
5. http://www.twitter.com/NarendraBhatiB
6. https://www.linkedin.com/profile/view?id=115146074
[Message part 2 (text/html, inline)]
Message #15 received at 797686-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
No Man, I am not angry and i actually i never get angry. We are discussing
something so there is no place for angriness :)
And I totally agree on your statement.
I don't have written proof, but as we see on daily basis. Many
vulnerabilities discovered everyday due to these cases. That`s why I
thought what if we disable such type of extensions which used quite some
time.I already know and observe the point which you have said, But i was
also trying to think from developer point of view.
In those cases developer should be aware about these things which can
prevent this type of cases.
Have a great day
Nice to talk with you.
Cheers
On Wed, Sep 2, 2015 at 12:16 AM, Ondřej Surý <ondrej@sury.org> wrote:
> Yeah, making a snarky comments always helped a discussion.
>
> The snippet you pasted from Wolf CMS also doesn't protect against .php5
> extension which is also configured by default. That's why relying on such
> poor security measure could never work and only shows a poor security
> design on the application side. The default PHP configuration cannot
> protect against poorly coded PHP applications. Disabling .phtml by default
> would do more harm than good because it would render all webpages that
> still have .phtml extensions unoperable.
>
> Also according to the same logic because Wolf CMS isn't protected against
> .php5 we should disable the .php5 extension?
>
> This needs to be fixed in the applications, so the user uploaded scripts
> could never be executed directly or through some dynamic include. That's
> what I would call security.
>
>
> more then hundreds or more
>
>
> There's this thing called evidence, so unless you are ready to provide
> evidence for such blatant claim, please calm down and don't exaggerate.
>
> Please calm down, think about what I wrote, and don't respond if you are
> still angry.
>
> Ondrej
>
> On Tue, Sep 1, 2015, at 20:14, Narendra Bhati wrote:
>
> Thanks, Ondřej
>
> BTW there are many web applications which relay on this.Actually not many
> there are more then hundreds or more.
> Thanks for the quick response. Nice to talk with you.
> Cheers To Security (y)
>
> On Tue, Sep 1, 2015 at 11:38 PM, Ondřej Surý <ondrej@sury.org> wrote:
>
>
> Hi again,
>
> it's Wolf CMS that needs to be fixed to no rely on false security that
> depends on file extensions.
>
> Cheers,
> Ondrej
>
> On Tue, Sep 1, 2015, at 19:00, Narendra Bhati wrote:
>
> Hello Ondřej
>
> I understand your concern. But my i was pointing out in a different
> scenario. Like many Web Application lets take an exmaple of Wolf CMS
>
> They have made some changes on invalid/malicious file upload extensions as
> below
>
> + if (in_array($ext, ['php', 'php3', 'php4', 'inc'])) {
> + Flash::set('error', __('Not allowed to upload files with
> extension :ext', $ext));
> + redirect(get_url('plugin/file_manager/browse/'));
>
> Now as you can see here user can upload files and can access them
> directly.Now here developer has not included "phtml" as a part of
> invalid/malicious
> file and if the web server Debian Configuration is allowing user to
> execute "phtml" as "php" then finish.Now as an attacker we can try to
> upload malicious file with different extensions so according to debian
> configuration if server is set to execute such type of extensions..
> Then Server will be compromise.
>
> Now one of your point is you can create many other scripts which can be
> execute ! this is right. But without proper configuration no
> other extension will execute as Server Side Script.
>
> so my final concern is - This type of configuration should be applied as
> default when we talk about security.
>
> waiting for your reply
>
> On Tue, Sep 1, 2015 at 10:14 PM, Ondřej Surý <ondrej@sury.org> wrote:
>
> Control: notfound -1 php5/5.4.34-0+deb7u1
>
> Hi Narenda,
>
> if you allow execution in a place where people could upload files, you
> are already screwed. You really have to disable the PHP engine in the
> directories where anybody could upload 3rd party scripts, that's why we
> have php_engine off directive (f.e.).
>
> Also I consider this as non-issue as they are plethora of other file
> extensions that might be get executed and the developers would have no
> idea about them. I could create plenty of PoCs like this on a server
> that allow execution on user uploaded scripts.
>
> Ondrej
>
> On Tue, Sep 1, 2015, at 17:20, Narendra Bhati wrote:
> > Package: libapache2-mod-php5
> > Version: 5.4.34-0+deb7u1
> > Severity: important
> >
> > Dear Maintainer,
> > *** Please consider answering these questions, where appropriate ***
> >
> > * What led up to the situation
> >
> > Hello Debian Security Team.
> >
> > Just observed a issue when one of my Arbitrary File Upload Vulnerability
> > got fixed.
> >
> > Here i am explaining you a scenario.
> >
> > Many developers Prevent File Upload Vulnerability By Blocking "['php',
> > 'php3', 'php4', 'inc']" So most of developers do the same for their
> > application to prevent this.
> > But the better solution is to include this extensions also
> > "php5,pht,phtml"
> >
> > Observation: now i had observe that most of Linux Debian are defaultly
> > set to executing "phtml" as "php" which look dangerous because most of
> > Developer only use "php,php3,php4,inc".
> > So if any developer miss the "phtml" to add in black list file upload and
> > if the Linux Debian is set to Execute "phtml" as "php" by default then
> > the whole server can be compromise by the attacker.
> >
> > For POC i had test Latest Kali Linux 2.0 which allow user to execute
> > "phtml" as "php" by default.
> >
> > The default configuration for many debians leads to the problem.
> > following component of Debian:
> >
> > % dpkg-query -S /etc/apache2/mods-available/php5.conf
> > libapache2-mod-php5: /etc/apache2/mods-available/php5.conf
> >
> > https://packages.debian.org/jessie/libapache2-mod-php5
> >
> > * What exactly did you do (or not do) that was effective (or
> > ineffective)?
> > I had create a backdoor like "backdoor.phtml" and try to execute with
> > Apache which got successfully execute. By using this user can perform
> > command exexecution
> >
> > * What was the outcome of this action?
> >
> > Many developers Prevent File Upload Vulnerability By Blocking "['php',
> > 'php3', 'php4', 'inc']" So most of developers do the same for their
> > application to prevent this.
> > But the better solution is to include this extensions also
> > "php5,pht,phtml"
> > if the developer forgot to add these extentions also , and server is
> > configured to execute "phtml" as "php" default then its can lead to
> > server compromisation
> > * What outcome did you expect instead?
> > The php extentions should be disabled by default just like "phtml" if its
> > required then can enable it manually. so he will aware that "phtml" is
> > also enabled on the web server
> > All and all debians should come with all extra php extions disabled
> > by default if some one needs the "phtml" then he can enable manually.
> >
> >
> > -- System Information:
> > Debian Release: Kali Linux 1.0.9
> > Architecture: i386 (i686)
> >
> > Kernel: Linux 3.14-kali1-486
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> >
> > Versions of packages libapache2-mod-php5 depends on:
> > ii apache2-mpm-prefork 2.2.22-13+deb7u3
> > ii apache2.2-common 2.2.22-13+deb7u3
> > ii libbz2-1.0 1.0.6-4
> > ii libc6 2.13-38+deb7u6
> > ii libcomerr2 1.42.5-1.1
> > ii libdb5.1 5.1.29-5
> > ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2
> > ii libk5crypto3 1.10.1+dfsg-5+deb7u2
> > ii libkrb5-3 1.10.1+dfsg-5+deb7u2
> > ii libmagic1 5.11-2+deb7u5
> > ii libonig2 5.9.1-1
> > ii libpcre3 1:8.30-5
> > ii libqdbm14 1.8.78-2
> > ii libssl1.0.0 1.0.1e-2+deb7u13
> > ii libstdc++6 4.7.2-5
> > ii libxml2 2.8.0+dfsg1-7+wheezy2
> > ii mime-support 3.52-1
> > ii php5-common 5.4.34-0+deb7u1
> > ii tzdata 2014h-0wheezy1
> > ii ucf 3.0025+nmu3
> > ii zlib1g 1:1.2.7.dfsg-13
> >
> > Versions of packages libapache2-mod-php5 recommends:
> > ii php5-cli 5.4.34-0+deb7u1
> >
> > Versions of packages libapache2-mod-php5 suggests:
> > pn php-pear <none>
> >
> > -- no debconf information
> >
> > _______________________________________________
> > pkg-php-maint mailing list
> > pkg-php-maint@lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>
>
> --
> Ondřej Surý <ondrej@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>
>
>
>
> --
> *Narendra Bhati "CEH" **( Facebook
> <http://www.facebook.com/narendradewsoft> , Twitter
> <http://www.twitter.com/NarendraBhatiB> , LinkedIn
> <https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*
> *Security Analyst - IT Risk & Security Management Services*
>
> Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
> Pune: 411004 |
>
> *======================================================================*
>
>
>
> --
> Ondřej Surý <ondrej@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>
>
>
>
>
>
> --
> *Narendra Bhati "CEH" **( Facebook
> <http://www.facebook.com/narendradewsoft> , Twitter
> <http://www.twitter.com/NarendraBhatiB> , LinkedIn
> <https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*
> *Security Analyst - IT Risk & Security Management Services*
>
> Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
> Pune: 411004 |
>
> *======================================================================*
>
>
>
> --
> Ondřej Surý <ondrej@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>
>
>
--
*Narendra Bhati "CEH" **( Facebook
<http://www.facebook.com/narendradewsoft> , Twitter
<http://www.twitter.com/NarendraBhatiB> , LinkedIn
<https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*
*Security Analyst - IT Risk & Security Management Services*
Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
Pune: 411004 |
*======================================================================*
[Message part 2 (text/html, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 30 Sep 2015 07:33:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.