httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] parsing files
Date Sat, 21 Feb 2004 18:10:38 GMT

On Sat, 21 Feb 2004, Louwrens Boonstra wrote:
>
> Many file upload systems allow all kinds of extensions and only exclude
> (for example) .php files.
> But when i upload a file like:
>
> test.php.foo.bar
>
> It still will be parsed as a .php file. I'm sure this is more a kind of
> feature than a bug but i found a lot of sites using upload systems that
> can easily be compromised!
>
> As I couldn't find more information on this 'leak', I thougt it would be
> usefull to post it here

It is a documented feature:
http://httpd.apache.org/docs-2.0/mod/mod_mime.html#multipleext

It is clearly the "upload systems" that are broken.

And in any case, that is the wrong place to put the restriction.  If you
want to prevent them from running php files, you should use your apache
configuration to restrict the php processing to areas where it is allowed.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message