[MacPorts] #38452: PHP code disclosure vulnerability with apache2 and other web servers (was: Apache on HFS Critical Security Issue)

Bradley Giesbrecht pixilla at macports.org
Thu Mar 21 09:28:32 PDT 2013


On Mar 21, 2013, at 9:10 AM, Clemens Lang wrote:

> On Thu, Mar 21, 2013 at 08:29:38AM -0700, Bradley Giesbrecht wrote:
>> If you have mod_rewrite available this appears to work around the problem for me:
>> ...
>> RewriteCond %{SCRIPT_FILENAME} .+\.p.+hp$ [NC]
>> RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,QSA]
>> ...
> 
> Be warned that doing this will only fix the scpecifc attack mentioned in
> the ticket. The unicode bytes could however also be added between
> "<filename>.ph" and "p" instead of between "p" and "hp".

RewriteCond %{SCRIPT_FILENAME} .+\.php[^\.]+$ [NC,OR]
RewriteCond %{SCRIPT_FILENAME} .+\.ph[^\.]+p$ [NC,OR]
RewriteCond %{SCRIPT_FILENAME} .+\.p[^\.]+hp$ [NC,OR]
RewriteCond %{SCRIPT_FILENAME} .+\.[^\.]+php$ [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,QSA]

> So, your solution is not a secure workaround!
> Also, there probably are other unicode symbols that can be used in this
> place to exploit the vulnerability.


Won't "[^\.]+" catch any number of non-dot's?


Regards,
Bradley Giesbrecht (pixilla)



More information about the macports-dev mailing list