Fix for uploads directory code execution doesn't work

  • David Santucci

    (@dsantucci)


    10 years, 8 months ago

    Overall this is a great plugin, but I have one small criticism: your recommended fix to prevent code execution for uploaded files won’t work under common default Apache/PHP configurations.

    Your recommended fix allows requests only for files ending with certain whitelisted extensions:

    Order deny,allow
Deny from all
<Files ~ ".(jpe?g|png|gif|mp3|wav|ogg|m4a|mp4|mov|wmv|avi|mpg|ogv|3gp|3g2|pdf|docx?|pptx?|ppsx?|odt|xlsx?|zip)$">
Allow from all
</Files>

    The problem is that Apache out of the box processes *multiple* file extensions and passes off execution to any handlers registered for them. (The default Apache PHP config also allows execution for multiple file extensions.)

    So, even with the above directive in place, PHP code in a file called “evil.php.png” will still execute under common default configurations.

    (See http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext)

    The solution is probably something like this (I haven’t tested it):

    <Files *>
    SetHandler default-handler
</Files>

    as described here: http://stackoverflow.com/questions/18932756/disable-all-cgi-php-perl-for-a-directory-using-htaccess

    https://ww.wp.xz.cn/plugins/gauntlet-security/

Viewing 1 replies (of 1 total)
  • Plugin Author Cornelius Bergen

    (@cbergen)

    10 years, 8 months ago

    I like the whitelist approach since anything other than a known static file should simply return ‘Forbidden’ which is, I think, a good response. With the SetHandler method, PHP files are actually downloaded.

    The multiple extensions issue is very real though and should be addressed. I wonder if it would be worth trying to fix that issue closer to the web root rather than just the uploads folder. Here’s an old but relevant discussion:
    https://core.trac.ww.wp.xz.cn/ticket/11122#comment:8

    Maybe something like this should be recommended for the root .htaccess file (only if the server is deemed vulnerable)?…

    <Files *>
  SetHandler default-handler
</Files>
<FilesMatch \.php$>
  SetHandler application/x-httpd-php
</FilesMatch>

    This is untested as well. But if it works, I would prefer to leave the uploads directory fix as-is.

    Thanks for the suggestion! I’ll be testing this on a vulnerable server and will definitely consider this for the next release.

Viewing 1 replies (of 1 total)

The topic ‘Fix for uploads directory code execution doesn't work’ is closed to new replies.