Mailing List Archive

upload/filelist.PHP
Hello,

the user "Mrzha" uploaded a file named filelist.PHP. This file provides a
file system browser to inspect all directories on the web server it is
installed to. Can an administrator please delete this file and ensure
that no PHP-files are interpreted when stored in /upload/?

This filelist.PHP is not very harmful, but using the same way it might be
possible to hijack the entire server. (As done with www.apache.org some
years ago, also starting with an upload directory executing PHP to get an
"initial contact").

Best regards,

jens
Re: upload/filelist.PHP [ In reply to ]
Done... I added 'AddType' directives for .php and .phtml to make them
text/html. Should they be text/plain?

Jason

Jens Frank wrote:

> Hello,
>
> the user "Mrzha" uploaded a file named filelist.PHP. This file provides a
> file system browser to inspect all directories on the web server it is
> installed to. Can an administrator please delete this file and ensure
> that no PHP-files are interpreted when stored in /upload/?
>
> This filelist.PHP is not very harmful, but using the same way it might be
> possible to hijack the entire server. (As done with www.apache.org some
> years ago, also starting with an upload directory executing PHP to get an
> "initial contact").
>
> Best regards,
>
> jens
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@ross.bomis.com
> http://ross.bomis.com/mailman/listinfo/wikitech-l

--
"Jason C. Richey" <jasonr@bomis.com>
Re: upload/filelist.PHP [ In reply to ]
Ah... Done. I removed my lame fix and put in this much better fix.
Thanks Brion!

Jason

Brion L. VIBBER wrote:

> Something like this should override the PHP setting (and anything else
> in that directory that would be getting special treatment from the
> server):
>
> <Directory /bla/bla/wikipedia/upload>
> SetHandler default-handler
> </Directory>

--
"Jason C. Richey" <jasonr@bomis.com>
Re: upload/filelist.PHP [ In reply to ]
On mer, 2002-06-05 at 14:27, Jens Frank wrote:
> Hello,
>
> the user "Mrzha" uploaded a file named filelist.PHP. This file provides a
> file system browser to inspect all directories on the web server it is
> installed to. Can an administrator please delete this file and ensure
> that no PHP-files are interpreted when stored in /upload/?

I've deleted it, but I can't do anything preemptive.

It's occasionally been suggested that the software might be changed to
reject certain file types, or only accept certain file types, but it's
never really gotten discussed or implemented. Theoretically, one might
well want to upload a sample PHP source file to go along with the
article about PHP (as, for instance, there are a couple Ruby scripts up
there)... but it sure as heck shouldn't be runnable on the server!

> This filelist.PHP is not very harmful, but using the same way it might be
> possible to hijack the entire server. (As done with www.apache.org some
> years ago, also starting with an upload directory executing PHP to get an
> "initial contact").

A while ago I sent Jimbo a fix for this problem (that is, uploaded .php
files being runnable) for the Apache configuration. I don't know if it
didn't get installed, or if it got installed but didn't work.

Here it is again:
-----------------------------------------------------------------------
Something like this should override the PHP setting (and anything else
in that directory that would be getting special treatment from the
server):

<Directory /bla/bla/wikipedia/upload>
SetHandler default-handler
</Directory>
-----------------------------------------------------------------------

Can someone please confirm when this has been put in place?

-- brion vibber (brion @ pobox.com)
Re: upload/filelist.PHP [ In reply to ]
On mer, 2002-06-05 at 14:56, Jason Richey wrote:
> Ah... Done. I removed my lame fix and put in this much better fix.
> Thanks Brion!

Okay, now if I go to an uploaded PHP file I get an offer to download a
file of type application/x-httpd-php. So far, so good! Renaming the same
file as test.html, it now gets treated as plain HTML instead of as PHP.
Excellent, big thanks Jason!

(Hmm, better make sure this gets done on meta.wikipedia.com as well.)

-- brion vibber (brion @ pobox.com)