How Apache PHPs setting exposes a security risk
Now, reading that Apache, when configured with AddType or AddHandler, will execute any file with ".php" anywhere in it's filename, I was a bit chocked.
First I verified it on my server which is a Debian Lenny with Apache2 and php5.
I created the files somewhere in my webroot:
Both files execute by the php engine.
But it gets worse...
I then removed EVERYTHING regarding php from my Apache2 configuration and restarted the webserver - Obviously, I would get plain ascii source code output this time.
Continuing I readded "LoadModule php5_module /usr/lib/apache2/modules/libphp5.so".
What now? Both files still execute by the php engine! Even without AddType, AddHandler or SetHandler.
The PHP Manual talks about a solution to use instead of AddHandler:
Action Point 8:
Tell Apache to parse certain extensions as PHP. For example, let's have Apache parse .php files as PHP. Instead of only using the Apache AddType directive, we want to avoid potentially dangerous uploads and created files such as exploit.php.jpg from being executed as PHP. Using this example, you could have any extension(s) parse as PHP by simply adding them. We'll add .php to demonstrate.And it includes a snippet for a suggested practice:
<FilesMatch \.php$>Now, atleast in my case this doesn't help since a simple LoadModule activates the awesomeness of *.php*.
This is, I found, due to the Apache TypesConfig directive.
Debian Apache include: "TypesConfig /etc/mime.types" if mod_mime is loaded.
Contrary to the Apache documentation on TypesConfig, the extensions in that file are not actually extensions.... they're substrings!
php_admin_flag engine off