PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

Beware of the default Apache 2 config for PHP

Note: This article was originally published at Planet PHP on 31 August 2010.
Planet PHP
About a week ago, I was doing some upgrades on my development machine and came across a rather nasty issue when it comes to how .php(s) files are associated with PHP in Apache. It seems that a number of distros including Gentoo (which is what I was using) are using the following configuration directive to make the PHP module parse PHP files:


AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php-source .phps



The non-obvious problem with the above is that it will allow not only "file.php" to be treated as PHP scripts, but also "file.php.txt", which means that any file containing ".php" in its name, no matter where in the filename, would be treated as a PHP script. This of course creates a rather nasty security hole, since many upload file validation tools, only check the final extension. Consequently allowing the user to by-pass the validation, by simply prefixing another "harmless" extension like .txt, .pdf, etc... to the filename, but still get the code to execute.

To mitigate this problem you should instead use the following configuration, that would only pick-up of files ending with a .php extension.


AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps