[MacPorts] #38452: PHP code disclosure vulnerability with apache2 and other web servers (was: Apache on HFS Critical Security Issue)
Clemens Lang
cal at macports.org
Thu Mar 21 10:59:17 PDT 2013
On Thu, Mar 21, 2013 at 09:28:32AM -0700, Bradley Giesbrecht wrote:
> RewriteCond %{SCRIPT_FILENAME} .+\.php[^\.]+$ [NC,OR]
> RewriteCond %{SCRIPT_FILENAME} .+\.ph[^\.]+p$ [NC,OR]
> RewriteCond %{SCRIPT_FILENAME} .+\.p[^\.]+hp$ [NC,OR]
> RewriteCond %{SCRIPT_FILENAME} .+\.[^\.]+php$ [NC]
> RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,QSA]
This might work for .php scripts, but will fail for .rb or any other
script language extension. Really, filtering is not a workaround to
fixing this issue properly.
--
Clemens Lang
More information about the macports-dev
mailing list