[PLUG] i can't believe this hasn't come up before
wes
plug at the-wes.com
Sat Nov 14 07:39:14 UTC 2009
$ cat /etc/issue
Debian GNU/Linux 4.0 \n \l
$ mv phpinfo.php phpinfo.php.txt
$ wget -qO - http://the-wes.com/phpinfo.php.txt
<?PHP phpinfo(); ?>
I think this means I'm safe.
-wes
On Fri, Nov 13, 2009 at 10:29 PM, Joe Pruett <joey at clean.q7.com> wrote:
> if you use the apache addhandler command for things like php, perl, python,
> etc
> it can create a huge hole if you allow uploads into your web space (images
> for
> example). the unbelievable behavior is that addhandler (and other friends
> from
> mod_mime) look for the extension anywhere in the filename, not just the
> end.
> so foo.php.jpg will be run as php if addhandler is used for .php (which is
> the
> default for redhat 5 systems).
>
> a workaround is to use:
>
> <FilesMatch \.php$>
> SetHandler php5-script
> ForceType text/html
> </FilesMatch>
>
> instead. wow, this is just scary...
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list