1

I am a security researcher who has been running into multiple cases where file upload forms can be exploited, allowing attacker-controlled PHP code to be interpreted by the server, leading to remote code execution. The root cause of this vulnerability seems to be a legacy setting that is enabled by default in the Apache config of following Linux Distros:

  • CentOS 5.8
  • CentOS 6.5
  • RedHat 5.10
  • RedHat 6.5

and possibly others. The setting is: 

AddHandler application/x-httpd-php .php

The effect of this setting that is concerning is that it tells the server that files with names that match \.php should be interpreted as PHP code. If an attacker uploads an image with the name shell.php.jpg with php code embedded in it, and navigates to the page, the server will execute the script as the server user.

My recommended remediation is to disable this setting by commenting it out. My reasoning is that .php files already have an implicit handler built in to Apache, which tells the server to interpret the code as php, so this setting seems to my eyes to be redundant. I get the feeling that this is a legacy setting carried forward by old versions of CentOS and RedHat, and the newest versions do not have this setting.

My question is: Under what circumstances will disabling this setting break functionality?

some.hacker
  • 11
  • 1
  • 4

1 Answers1

1

My reasoning is that .php files already have an implicit handler built in to Apache, which tells the server to interpret the code as php

As far as I know, there is no implicit handler, this AddHandler command is what tells apache to pass files with a .php extension to the application/x-httpd-php handler (mod_php)

However, overall you are correct. It is (apparently) a little known feature of mod_mime that files with multiple extensions have ALL of their extensions examined for handlers and other information. Apache's documentation suggests that that directive should be replaced with:

<FilesMatch \.php$>
  SetHandler application/x-httpd-php
</FilesMatch>

to only pass files ending in .php to that handler.

The best solution, though, would be to store untrustable user-uploaded files outside of DocumentRoot where browsers can't request script.php.jpg (or mail out links to http://www.example.com/uploads/thisisreallyyourbank.html)

DerfK
  • 19,493
  • 2
  • 38
  • 54