httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: MAJOR SECURITY-PROBLEM Apache 2.4.6
Date Wed, 01 Oct 2014 17:05:40 GMT

Am 16.09.2013 um 19:33 schrieb Yehuda Katz:
> I can sort-of confirm this.
> 
> Apache 2.4.3 on Windows 7 x64 (ApacheLounge build)
> For me, the PHP is executed, not displayed.
> 
> Stock configuration with mod_php and only this added:
> <Location "/phpinfo.php">
> LimitRequestBody 1
> </Location>
> 
> The built in error is displayed with the processed PHP (in my case, just phpinfo() )
appended. I could not
> replicate this with any other directive.

2.4.10

that issue still exists and the only safe way in context
of mod_php and httpd is stay at "LimitRequestBody 0" because
even a file-upload exceeding that limit leads in spit
out the content of the php script instead a error page

mod_security and "SecRequestBodyLimit" works as expected
blocking the request - so it hardly is a bug in mod_php
which should not be called at all if "LimitRequestBody"
takes action

if it can't be re-produced there should be at least
a big fat warning in the documenetation that it has
the opposite effect in some environments

> On Mon, Sep 16, 2013 at 7:56 AM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
> 
>     why in the world does Apache add the *sourcode* of the called PHP
>     script after the sepcified ErrorDocument? this is a major problem
>     and exactly *not* what should happen by a security option
>     ________________________________________________
> 
>     <Location "/cms.php">
>      LimitRequestBody 10
>     </Location>
> 
>     ErrorDocument 413 "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'
>     'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error
413 - Request Entity Too Large</title><style
>     type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; font-size:16px;}
body {margin:0px;
>     padding:15px;}</style></head><body><h1 style='margin-top:0px;
font-size:18px;'>Error 413</h1><p>Request Entity Too
>     Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a
>     href='mailto:server-admins@thelounge.net
>     <mailto:server-admins@thelounge.net>?subject=Server-Error-413'>server-admins@thelounge.net
>     <mailto:server-admins@thelounge.net></a></p></body></html>"
>     ________________________________________________
> 
>     OUTPUT TO THE BROWER (stripped, yes it adds the complete PHP sript)
> 
>     <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'
>     'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error
413 - Request Entity Too Large</title><style
>     type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; font-size:16px;}
body {margin:0px;
>     padding:15px;}</style></head><body><h1 style='margin-top:0px;
font-size:18px;'>Error 413</h1><p>Request Entity Too
>     Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a
>     href='mailto:admin@rhsoft.net <mailto:admin@rhsoft.net>?subject=Server-Error-413'>admin@rhsoft.net
>     <mailto:admin@rhsoft.net></a></p></body></html><?php
>      /**
>       CONTENT MANAGMENT SYSTEM / CONTENTLOUNGE
>       ------------------------------------------------------------------
>       AENDERUNGEN UND WEITERGABE DIESER DATEI OHNE RUECKSPRACHE MIT DEM
>       ENTWICKLER SIND LIZENZRECHTLICH NICHT GESTATTET!
>       ---------------------------------------------------


Mime
View raw message