Title: Apache AddHandler/AddType exploit protection
Author: Sebastian Pipping <sping@gentoo.org>
Content-Type: text/plain
Posted: 2015-04-06
Revision: 2
News-Item-Format: 1.0
Display-If-Installed: www-servers/apache

Apache's directives AddHandler [1] and AddType [2] can be used
to map certain file name extensions (e.g. .php) to a handler
(e.g. application/x-httpd-php).  While a line like

  AddHandler application/x-httpd-php .php .php5 .phtml
     ^^^^^^^
matches index.php, it also matches index.php.png.
With

  AddType application/x-httpd-php .php .php5 .phtml
     ^^^^
index.php.png is not executed, but index.php.disabled still is.


Apache's notes on multiple file extensions [3] document
a multi-language website as a context where that behavior
may be helpful.  Unfortunately, it can also be a security threat.

Combined with (not just PHP) applications that support
file upload, the AddHandler/AddType directive can get you into
remote code execution situations.

That is why >=app-eselect/eselect-php-0.7.1-r4 avoids AddHandler
and is shipping

  <FilesMatch "\.(php|php5|phtml)$">
    SetHandler application/x-httpd-php
  </FilesMatch>

instead.


Why this news entry?

 * Since Apache configuration lives below /etc,
   you need to run etc-update (or a substitute)
   to actually have related fixes applied.
   To get them into the running instance of Apache,
   you need to make it reload its configuration, e.g.

     sudo /etc/init.d/apache2 reload

 * If you are currently relying on AddHandler to execute
   secret_database_stuff.php.inc, moving away from AddHandler
   could result in serving your database credentials in plain
   text.  A command like

     find /var/www/ -name '*.php.*' \
                 -o -name '*.php5.*' \
                 -o -name '*.phtml.*'

   may help discovering PHP files that would no longer be executed.

   Shipping automatic protection for this scenario is not trivial,
   but you could manually install protection based on this recipe:

     <FilesMatch "\.(php|php5|phtml|phps)\.">
       # a) Apache 2.2 / Apache 2.4 + mod_access_compat
       #Order Deny,Allow
       #Deny from all

       # b) Apache 2.4 + mod_authz_core
       #Require all denied

       # c) Apache 2.x + mod_rewrite
       #RewriteEngine on
       #RewriteRule .* - [R=404,L]
     </FilesMatch>

 * You may be using AddHandler or AddType in other places,
   including off-package files.  Please have a look.

 * app-eselect/eselect-php is not the only package affected.
   There is a dedicated tracker bug at [4].
   As of the moment, affected packages include:

     app-eselect/eselect-php[apache2]
     net-nds/gosa-core
     www-apache/mod_fastcgi
     www-apache/mod_flvx
     www-apache/mod_python
     www-apache/mod_suphp
     www-apps/moinmoin
     www-apps/rt[-lighttpd]


Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer.

[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
[3] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
[4] https://bugs.gentoo.org/show_bug.cgi?id=544560