New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sample front page file sample-public-front-page.php.txt is "executable" under (very) common Apache Config #1319

Closed
ozh opened this Issue Apr 6, 2013 · 0 comments

Comments

Projects
None yet
1 participant
@ozh
Member

ozh commented Apr 6, 2013

This is a COPY of Issue 1319: Sample front page file sample-public-front-page.php.txt is "executable" under (very) common Apache Config, filed on Google Code before the project was moved on Github.

Please review the original issue and especially its comments. Comments here on closed issues will be ignored. Thanks.

Original description

**What steps will reproduce the problem?**
1. Install the app
2. Leave the file "sample-public-front-page.php.txt" in place
3. Standard (albeit bad) apache config will load this file as PHP

What is the expected output? 

A non-functioning blob of code

What do you see instead?

The front page


**Please write in your current versions of YOURLS, Web server, PHP, OS,**
**Browser if applicable, etc...**

YOURLS 1.4
Web server- Stock SuSE Apache install

**Please provide any additional information below.**

One of our admin hacked basic LDAP support onto version 1.4.
We found a click fraud URL in our URL list. This was the entry point.

I was surprised to find out that FILENAME.php.txt would load as PHP. I'd always assumed the .txt disabled the PHP interpretation. Turns out not to be the case. 
ilia.ws/archives/226-Beware-of-the-default-Apache-2-config-for-PHP.html

The key line from the apache config "Filenames may have multiple extensions and the extension argument will be compared against each of them."

This is not strictly speaking a bug, but I believe it's worth bringing to your attention. In particular the exploiter obviously knew about this and used it maliciously.

@ozh ozh closed this Apr 6, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment