[VIM] PHP File Upload Vulnerability with extra Extension
GM darkfig
gmdarkfig at gmail.com
Wed May 14 19:23:24 UTC 2008
Hi =)
If the filename is a well-known extension (jpg, gif, etc...), it can
be interpreted as
a php file if there is a .htaccess file with this type of content:
# backdoor.php.jpg
AddHandler application/x-httpd-php .php
If the extension is unknown (zzz, jpx, etc...), it can be interpreted
as a php file if
the module mod_mime is loaded:
# backdoor.php.xxx
LoadModule mime_module modules/mod_mime.so
- darkfig
2008/5/13 str0ke <str0ke at milw0rm.com>:
> Thank you both for the explanation.
>
> regards,
> /str0ke
>
> Matthew Murphy wrote:
>>
>> On May 12, 2008, at 2:28 PM, str0ke wrote:
>>
>>> I have forgotten what caused the vulnerability where you upload a file
>>> such as somefile.php.jpg and it can be executed as a php script. I know
>>> this isn't a php vulnerability as much as an addon. I think in the past
>>> it was suexec that caused this but not sure. Anyone have a clue?
>>>
>>> Regards,
>>> /str0ke
>>
>> It's a design decision, according to ASF. The idea is that you can
>> have multiple extensions, e.g:
>>
>> index.html.en
>>
>> Both of which affect the content processing in some way. The .html
>> file tells the core that it is a static document, but the .en tells
>> mod_negotiation that it is an English-language version of
>> 'index.html'. The same processing is done for PHP content, e.g.:
>>
>> index.php.fr
>>
>> Will be processed if I request 'index.php' with an Accept-Language
>> header including 'fr' or a subcode of it.
>>
>> - Matt
>>
>
More information about the VIM
mailing list