The conf.d/php.conf file attaches .php files to its handler like this: AddHandler php5-script .php
however, that allows some hackery. for example, create three files, "test.php", "test.php." and "test.php.blahblah". in each, place "<?php phpinfo();" and load them in your browser - they are all rendered as PHP files.
This means that a web application which allows people to upload files (images, for example), but not PHP scripts, can be circumvented by naming the script somescript.php.notphp and then uploading it.
To solve this, it is probably better to change the handler attachment to this: |<FilesMatch .php$> SetHandler php5-script </FilesMatch> |
kae
On Mon, Oct 13, 2008 at 02:59:31PM +0100, Kae Verens wrote:
The conf.d/php.conf file attaches .php files to its handler like this: AddHandler php5-script .php
This is a feature, which allows MultiViews to work properly.
This means that a web application which allows people to upload files (images, for example), but not PHP scripts, can be circumvented by naming the script somescript.php.notphp and then uploading it.
A webapp which:
a) allows users to upload files with arbitrary filenames, and b) makes such file immediately publicly-accessible
is broken and insecure. Changing the default httpd configuration as you suggest won't make it secure.
Regards, Joe
php-devel@lists.fedoraproject.org