[VIM] PHP File Upload Vulnerability with extra Extension

str0ke str0ke at milw0rm.com
Wed May 14 19:26:50 UTC 2008


Thanks again dark.  Thats what I was looking for.

/str0ke

GM darkfig wrote:
> Hi =)
>
> If the filename is a well-known extension (jpg, gif, etc...), it can
> be interpreted as
> a php file if there is a .htaccess file with this type of content:
>
> # backdoor.php.jpg
> AddHandler application/x-httpd-php .php
>
> If the extension is unknown (zzz, jpx, etc...), it can be interpreted
> as a php file if
> the module mod_mime is loaded:
>
> # backdoor.php.xxx
> LoadModule mime_module modules/mod_mime.so
>
> - darkfig
>
> 2008/5/13 str0ke <str0ke at milw0rm.com>:
>   
>> Thank you both for the explanation.
>>
>> regards,
>> /str0ke
>>
>> Matthew Murphy wrote:
>>     
>>> On May 12, 2008, at 2:28 PM, str0ke wrote:
>>>
>>>       
>>>> I have forgotten what caused the vulnerability where you upload a file
>>>> such as somefile.php.jpg and it can be executed as a php script.  I know
>>>> this isn't a php vulnerability as much as an addon.  I think in the past
>>>> it was suexec that caused this but not sure.  Anyone have a clue?
>>>>
>>>> Regards,
>>>> /str0ke
>>>>         
>>> It's a design decision, according to ASF.  The idea is that you can
>>> have multiple extensions, e.g:
>>>
>>> index.html.en
>>>
>>> Both of which affect the content processing in some way.  The .html
>>> file tells the core that it is a static document, but the .en tells
>>> mod_negotiation that it is an English-language version of
>>> 'index.html'.  The same processing is done for PHP content, e.g.:
>>>
>>> index.php.fr
>>>
>>> Will be processed if I request 'index.php' with an Accept-Language
>>> header including 'fr' or a subcode of it.
>>>
>>> - Matt
>>>
>>>       
>
>   


More information about the VIM mailing list