httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yehuda Katz <yeh...@ymkatz.net>
Subject Re: MAJOR SECURITY-PROBLEM Apache 2.4.6
Date Mon, 16 Sep 2013 17:33:17 GMT
I can sort-of confirm this.

Apache 2.4.3 on Windows 7 x64 (ApacheLounge build)
For me, the PHP is executed, not displayed.

Stock configuration with mod_php and only this added:
 <Location "/phpinfo.php">
LimitRequestBody 1
</Location>

The built in error is displayed with the processed PHP (in my case, just
phpinfo() ) appended. I could not replicate this with any other directive.

- Y


On Mon, Sep 16, 2013 at 7:56 AM, Reindl Harald <h.reindl@thelounge.net>wrote:

> why in the world does Apache add the *sourcode* of the called PHP
> script after the sepcified ErrorDocument? this is a major problem
> and exactly *not* what should happen by a security option
> ________________________________________________
>
> <Location "/cms.php">
>  LimitRequestBody 10
> </Location>
>
> ErrorDocument 413 "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01
> Transitional//EN'
> 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error
413 -
> Request Entity Too Large</title><style
> type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none;
> font-size:16px;} body {margin:0px;
> padding:15px;}</style></head><body><h1 style='margin-top:0px;
> font-size:18px;'>Error 413</h1><p>Request Entity Too
> Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a
> href='mailto:server-admins@thelounge.net?subject=Server-Error-413'>
> server-admins@thelounge.net</a></p></body></html>"
> ________________________________________________
>
> OUTPUT TO THE BROWER (stripped, yes it adds the complete PHP sript)
>
> <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'
> 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error
413 -
> Request Entity Too Large</title><style
> type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none;
> font-size:16px;} body {margin:0px;
> padding:15px;}</style></head><body><h1 style='margin-top:0px;
> font-size:18px;'>Error 413</h1><p>Request Entity Too
> Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a
> href='mailto:admin@rhsoft.net?subject=Server-Error-413'>admin@rhsoft.net
> </a></p></body></html><?php
>  /**
>   CONTENT MANAGMENT SYSTEM / CONTENTLOUNGE
>   ------------------------------------------------------------------
>   AENDERUNGEN UND WEITERGABE DIESER DATEI OHNE RUECKSPRACHE MIT DEM
>   ENTWICKLER SIND LIZENZRECHTLICH NICHT GESTATTET!
>   ---------------------------------------------------
>
>

Mime
View raw message