Apache/PHP exploit - Please advise

6 posts / 0 new
Last post
#1 Sun, 10/14/2007 - 20:20
JohnFord

Apache/PHP exploit - Please advise

Hello... I found this on Coppermine site and it appears my site is vunerable. Any ideas on how to deal with this issue?

http://coppermine-gallery.net/forum/index.php?topic=31534.0

What it involves is the ability of Apache to run any php code in a file as long as the filename has ".php" in the file name. Therefore uploading a file named filetest.php.rar and opening the file in a browser window will execute the code.

example from URL above... How can I find out if my webserver is vulnerable? Create a plain-text file with this content: Code: <?php print 'Oops, my webserver is vulnerable'; ?>, name it test.php.rar, upload it to your webserver (by Coppermine methods or by FTP) and run it in your browser by entering the URL of the file you uploaded into the browser's address bar. If the susequent page shows the message Quote Oops, my webserver is vulnerable , then you really should be alarmed. If it returns garbled text, the PHP source code or just asks you to download the file, then your webserver probably is configured OK and you're not vulnerable.

Mon, 10/15/2007 - 04:12
DanLong

I guess the question is, how does the hacker get the file uploaded to your server?

I just wiped clean and reloaded a server that was constantly hacked and couldn't figure out how they were getting in. Now, taking this into account, I see the server had uploadable programs ie, banner exchange, news article archive site etc.

Is there a way to block &quot;.rar&quot; files? No pun intended but it is rare to find .rar archive files now days. Or can we tweak Apache to disregard filenames after the .php?

thanks,
Dan

Mon, 10/15/2007 - 05:38 (Reply to #2)
DanLong

Ran the test and sure enough the page said &quot;this server is toast!!!&quot;. Okay so I changed the text ;-)

Did a quick search and found the following fix that, then, just left a blank page after accessing the file:

Locate your httpd.conf, search for AddType and add the fowlling after other AddType such as .gz:

AddType application/rar .rar
AddType application/x-compressed .rar
AddType application/x-rar .rar
AddType application/x-rar-compressed .rar
AddType application/x-rar-compressed; application/x-compressed .rar
AddType compressed/rar; application/x-rar-compressed .rar

Joe, if you want to chime in and let me know if this screws up future updates????

thanks,
Dan

Mon, 10/15/2007 - 07:03 (Reply to #3)
DanLong

I guess then it's back to eliminating anything after .php

how to do that is the question then

Mon, 10/15/2007 - 12:01 (Reply to #4)
Joe
Joe's picture

Hey guys,

Despite assertions to the contrary by the Coppermine folks...this is a security bug in Coppermine. No web applications should allow arbitrary files to be created on the server in executable space by untrusted users, and that's what the exploit is all about.

Presumably the current version of Coppermine sanitizes filenames and prevents this kind of problem.

--

Check out the forum guidelines!

Mon, 10/15/2007 - 06:45
JohnFord

yea... but, all they have to do is name the file some name for which you have not addressed a mime type setting. Then apache disregards that portion of the filename and goes ahead and decides that the file must be php and runs the code.

what I mean is... all they have to do is name the file &quot;filetest.php.raru&quot; OR &quot;filetest.php.rararu&quot; OR &quot;filetest.php.rur&quot;, etc., etc.

At least that is how I understood it...

Topic locked