Apache and extensions
Posted by attroll, 01-14-2008, 12:01 AM I have found a hole in one of my servers that someone else pointed. Here is what I found. A fake image can get uploaded to the server like test.php.psd and the server will think it is an image file but in fact it is a PHP file. Then when the server access the file Apache does not recognize the file and automatically assumes that it is a PHP file and tries to execute it as a PHP file. If the file is not recognizable and can not open it as an image file then it should not automatically try to execute it as a PHP file. Am I wronging in assuming this? Here are two sample files. Here is a sample file that you can try: http://www.yoursite.net/test.php.psd http://www.yoursite.net/test.php.wmv How can I create files like this that are not recognized by Apache from being automatically being executed as a PHP file.
Posted by ub3r, 01-14-2008, 12:11 AM Are you running mod_php or phpsuexec (cgi)? if you're running mod_php, you could shut off execution of php on a per-directory basis by putting this into your somedirectory/.htaccess: php_value engine 0
Posted by attroll, 01-14-2008, 12:36 AM I don't want to shut off PHP. I want to stop files that are not reconized and automaticlly being executes as a PHP file when there not reconized.
Posted by bitserve, 01-14-2008, 01:55 PM Remove mod_mime_magic.
Posted by attroll, 01-14-2008, 09:20 PM I do not see it in my PHP settings. I have mod_mime in it but not mod_mime_magic.
Posted by ub3r, 01-15-2008, 12:19 AM it's an apache module.