Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sample front page file sample-public-front-page.php.txt is "executable" under (very) common Apache Config #1319

ozh opened this issue Apr 6, 2013 · 0 comments


Copy link

ozh commented Apr 6, 2013

This is a COPY of Issue 1319: Sample front page file sample-public-front-page.php.txt is "executable" under (very) common Apache Config, filed on Google Code before the project was moved on Github.

Please review the original issue and especially its comments. Comments here on closed issues will be ignored. Thanks.

Original description

**What steps will reproduce the problem?**
1. Install the app
2. Leave the file "sample-public-front-page.php.txt" in place
3. Standard (albeit bad) apache config will load this file as PHP

What is the expected output? 

A non-functioning blob of code

What do you see instead?

The front page

**Please write in your current versions of YOURLS, Web server, PHP, OS,**
**Browser if applicable, etc...**

Web server- Stock SuSE Apache install

**Please provide any additional information below.**

One of our admin hacked basic LDAP support onto version 1.4.
We found a click fraud URL in our URL list. This was the entry point.

I was surprised to find out that FILENAME.php.txt would load as PHP. I'd always assumed the .txt disabled the PHP interpretation. Turns out not to be the case.

The key line from the apache config "Filenames may have multiple extensions and the extension argument will be compared against each of them."

This is not strictly speaking a bug, but I believe it's worth bringing to your attention. In particular the exploiter obviously knew about this and used it maliciously.
@ozh ozh closed this as completed Apr 6, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

1 participant