Beware of the default Apache 2 config for PHP

iBlog - Ilia Alshanetsky

Home Who am I? Projects Talks Publications Pictures

Guide to PHP Security

Quicksearch

Calendar

Back February '12
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29      

Comments

Mike about PHP's Output Buffering
Mon, 12.12.2011 05:12
How about a PHP_OUTPUT_HANDLER _ABSORBENT flag for trunk? ob_start(null, 1024, PHP_OUTPU T_HANDLER_STDFLAGS | PHP [...]
gphilip about PHP's Output Buffering
Mon, 12.12.2011 03:56
Hi, "What was unusual is th at 16 calls to ob_start() up c hewing through almost 700kb of memory" Can you give [...]
Ilia Alshanetsky about PHP's Output Buffering
Thu, 08.12.2011 11:49
In PHP 5.4 the default buffer size was reduced to 0x4000 (16 kb), which in part is responsi ble for the performance [...]
Chris Jones about PHP's Output Buffering
Thu, 08.12.2011 10:00
An error is thrown in PHP 5.4 but not PHP 5.3: $ cat t.ph p $ php54 t.php PHP Warn ing: ob_start(): no arr [...]
Chris Jones about PHP's Output Buffering
Thu, 08.12.2011 09:55
For people not following PHP d evelopment, output buffering c hanged a lot in PHP 5.4. Runni ng this: $a = microti [...]
Sebastian about PHP's Output Buffering
Thu, 08.12.2011 06:04
I dont understand your post be cause the first parameter for ob_start is not the chunk size , it is the callback fun [...]
Ilia Alshanetsky about PHP's Output Buffering
Thu, 08.12.2011 05:21
You can try the test at: http ://pastebin.com/Kjpmea3h in this test the new code is abo ut 25% faster, not to me [...]
Ilia Alshanetsky about PHP's Output Buffering
Thu, 08.12.2011 04:19
Think of a templating system t hat needs to generate various sub-templates and place result ing data in various diff [...]
Ilia Alshanetsky about PHP's Output Buffering
Thu, 08.12.2011 04:10
There is a really good reason why it is slower. Your text is quite big, but you set your i nitial buffer size to me [...]
Ilia Alshanetsky about PHP's Output Buffering
Thu, 08.12.2011 04:05
You are correct, it should say 10kb not 20... I'll adjust.

Monday, August 30. 2010

Posted by Ilia Alshanetsky in PHP

Comments (14)
Trackbacks (0)

Beware of the default Apache 2 config for PHP

About a week ago, I was doing some upgrades on my development machine and came across a rather nasty issue when it comes to how .php(s) files are associated with PHP in Apache. It seems that a number of distros including Gentoo (which is what I was using) are using the following configuration directive to make the PHP module parse PHP files:

<IfModule mod_mime.c>
AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php-source .phps
</IfModule>


The non-obvious problem with the above is that it will allow not only "file.php" to be treated as PHP scripts, but also "file.php.txt", which means that any file containing ".php" in its name, no matter where in the filename, would be treated as a PHP script. This of course creates a rather nasty security hole, since many upload file validation tools, only check the final extension. Consequently allowing the user to by-pass the validation, by simply prefixing another "harmless" extension like .txt, .pdf, etc... to the filename, but still get the code to execute.

To mitigate this problem you should instead use the following configuration, that would only pick-up of files ending with a .php extension.


<IfModule mod_mime.c>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>


The difference between the two configurations being that the original uses AddHandler (bad) and the latter uses AddType (good).
Twitter Bookmark Beware of the default Apache 2 config for PHP at del.icio.us Facebook Google Bookmarks FriendFeed Digg Beware of the default Apache 2 config for PHP Bloglines Beware of the default Apache 2 config for PHP Technorati Beware of the default Apache 2 config for PHP Bookmark Beware of the default Apache 2 config for PHP at YahooMyWeb Bookmark Beware of the default Apache 2 config for PHP at reddit.com Bookmark Beware of the default Apache 2 config for PHP at Simpy.com Bookmark Beware of the default Apache 2 config for PHP at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Trackbacks
Trackback specific URI for this entry

PingBack
Weblog: www.developercast.com
Tracked: Aug 31, 10:55

Comments
Display comments as (Linear | Threaded)

This sounds more like an Apache bug. Using AddType instead of AddHandler has other side effects; namely, it screws up content negotiation.
#1 Gustavo Lopes on 2010-08-30 17:46 (Reply)
Actually AddHandler works exactly as described, even apache documentation mentions it should be used very carefully, since it will pick up on things like foo.bar.php.txt.

I have yet to see the "content negotiation" issues you've mentioned, do you have any specific references?
#1.1 Ilia Alshanetsky (Homepage) on 2010-08-30 18:31 (Reply)
I mean let's say you have named test.php. You use MultiViews and URLs without extensions, relying on content negotiation to find the most appropriate file. Let's say a UA makes a request like this:

GET /test HTTP/1.1
Host: whatever
Accept: text/html

With AddHandler and the type of .php set to text/html, this works fine. As soon as you replace AddHandler with AddType, you get this:

HTTP/1.1 406 Not Acceptable
Date: Tue, 31 Aug 2010 03:20:07 GMT
Alternates: {"test.php" 1 {type application/x-httpd-php} {length 26}}
Vary: negotiate

This is because the content-type of .php files is not actually "application/x-httpd-php"; this is just a hack you use to force them to be interpreted as php scripts. There are actually UAs (I think Google Bot is on them) that send requests with an Accept header and without accepting */*.

You are right, in that this is documented behavior, but it seems to be that you should stick to AddHandler and use instead something like (add &lt;):

FilesMatch "\.php.">
RemoveHandler .php
/FilesMatch>
#1.1.1 Gustavo Lopes on 2010-08-30 23:32 (Reply)
This guy things you are wrong, go figure:
http://www.devside.net/articles/php
#2 bungle on 2010-08-30 20:26 (Reply)
Well, it is not about wrong or right, If you want a.php.txt to be treated as a PHP script then, by all means use AddHandler. However if you only want files ending with .php to be parsed as PHP scripts you should use AddType.
#2.1 Ilia Alshanetsky (Homepage) on 2010-08-30 21:40 (Reply)
See:
- http://httpd.apache.org/docs/2.2/mod/mod_mime.html#addhandler
- http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext
- http://httpd.apache.org/docs/2.2/mod/mod_mime.html#addtype

Please read the documentation before making recommendations to other people.

There's also 2 Gentoo bugs related to this (and similar) issues:
- http://bugs.gentoo.org/show_bug.cgi?id=162478
- http://bugs.gentoo.org/show_bug.cgi?id=279099
#3 AllenJB on 2010-08-31 02:29 (Reply)
This is not entirely correct, it depends on the bogus extension. If you append .txt to a PHP file, .txt get's precedence and the .PHP file is not executed. Only once the extension is unknown (say for example: file.php.fubar) then it get's parsed by the PHP engine.

I don't know exactly how it works with other known extensions, but I've written a blog about this topic a while back: http://blog.dynom.nl/archives/Be-careful-with-double-extensions_20081024_25.html
#4 Mark van der Velden (Homepage) on 2010-08-31 05:36 (Reply)
Actually with .txt the PHP code gets executed, one of the reasons I found the problem out since the test server had a script.php.txt file. When it was requested, instead of loading up text content, it showed the output of the PHP script instead.
#4.1 Ilia Alshanetsky (Homepage) on 2010-08-31 15:17 (Reply)
Interesting behavior, I've tried it with several extension back then and it only worked on bogus file extensions. Not "known" file extensions.

Perhaps I used a different configuration and different apache version, it's still an interesting and potentially dangerous difference though.
#4.1.1 Mark van der Velden (Homepage) on 2010-09-01 02:15 (Reply)
Ubuntu (at least the current 10.04 LTS) uses a variant which in my opinion is a better solution than switching from AddHandler to AddType. FilesMatch check with a regular expression, what the truly last ending of the file is, and uses SetHandler accordingly.

...

SetHandler application/x-httpd-php

...
#5 Henning Kockerbeck (Homepage) on 2010-08-31 06:21 (Reply)
Sorry, looks like the filter on this blog doesn't like Apache directives with brackets that look like HTML tags ;-)

It is

FilesMatch "\.ph(p3?|tml)$">
SetHandler application/x-httpd-php
/FilesMatch>
#5.1 Henning Kockerbeck (Homepage) on 2010-08-31 06:24 (Reply)
Thank you for this blog post Ilia. I was trying desperately to find out what was going on after the last upgrade.

The only message that I get (still unfortunately) is:

Sep 6 01:27:34 machine kernel: [197892.053255] apache2[6193]: segfault at 69 ip 00007fa76c277294 sp 00007fff62820730 error 4 in libphp5.so[7fa76c1b6000+3b8000]

That effectively is what is logged when I try to start apache. I tried the AddType approach on 70_mod_php5.conf file but the same error appeared again.

Did you see something similar in your installation?
#6 Nikolaos Dimopoulos (Homepage) on 2010-09-05 21:37 (Reply)
No, I am not seeing any crash messages from PHP.
#6.1 Ilia Alshanetsky (Homepage) on 2010-09-07 15:43 (Reply)
thanks for your insightful tips, I was recently given an assignment to administer a LAMP server for my university dept. I'm not a natural-born administrator, rather an application developer, your tips really helped me in securing the server.
#7 mypapit@gmail.com (Homepage) on 2010-09-16 00:40 (Reply)

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
 
 

Frontpage - Top level

My Flickr Stream

Berlin's Time Zone Rainbow Building Nouvelle synagogue de Berlin Bobcat Guard Tower Looking Away Eagle Scream I'm ready for my close-up Bald Eagle Profile Hawk Lazy Lynx

Archives

Categories



All categories

Syndicate This Blog

Blog Administration

Open login screen

Twitter