[MacPorts] #38452: PHP code disclosure vulnerability with apache2 and other web servers (was: Apache on HFS Critical Security Issue)
Clemens Lang
cal at macports.org
Thu Mar 21 09:10:55 PDT 2013
On Thu, Mar 21, 2013 at 08:29:38AM -0700, Bradley Giesbrecht wrote:
> If you have mod_rewrite available this appears to work around the problem for me:
> ...
> RewriteCond %{SCRIPT_FILENAME} .+\.p.+hp$ [NC]
> RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,QSA]
> ...
Be warned that doing this will only fix the scpecifc attack mentioned in
the ticket. The unicode bytes could however also be added between
"<filename>.ph" and "p" instead of between "p" and "hp".
So, your solution is not a secure workaround!
Also, there probably are other unicode symbols that can be used in this
place to exploit the vulnerability.
--
Clemens Lang
More information about the macports-dev
mailing list