Hi Arno!
Seems to be the standard behaviour of Apache servers all over the
world!
I was testing this way:
First I renamed a real, proper GIF-file to "this.php.nice.gif", put it
in the root of my websites and called it with the browser. Result:
"Error 500 Internal Server Error". The logfile tells: "Premature end of
script headers: this.php.nice.gif".
Then I did infect the same GIF-file with some PHP-Code (<?php echo
"Hello, I'm evel"; ?>), renamed it to "this.php.evel.gif", put it in the
root, called it with the browser. The result was exactly the same: Error
500, Premature end of script headers.
That means, wether the file is infected or not, it IS passed to the PHP
interpreter only because it contains somewehere ".php" in his name!
Then I renamed a real PHP script to "test.php.gif". This finaly produced
the following response from my web hoster:
_QUOTE_
Files with Extra ".php." Extension
If you were directed to this page, you probably tried viewing a file
that contains .php. in its name, such as image.php.jpeg or image.php.
(note the extra dot at the end).
The site you were visiting uses the Apache Web server, which will
usually attempt to run such files as PHP scripts (instead of allowing
your browser to display them as images, or completely failing to run
them, as you'd probably expect).
Allowing those files to run as a PHP script is a security vulnerability,
as seen in exploits for WordPress and Joomla. Because of that, we block
requests to these files.
If you?re the owner of this site and you want to use a real image that
includes ?.php.? as part of the name, please rename the file.
_END QUOTE_
Sounds reasonable. And means, you really must protect your uploadings.
A simple way:
$filename = str_replace('.php', '', $_FILES['userfile']['name']);
move_uploaded_file($_FILES['userfile']['tmp_name'],
'yourdirectory/'.$filename);
Hope, this helps,
Niklaus
Arno Kuhl am Donnerstag, 19. September 2013 - 16:14:
> Arno: If you can request that file using a web browser, and it gets
executed
> as PHP on your server then there is an error in the Apache
configuration.
>
> Easy test: create a file in a text editor containing some PHP (<?php
> phpinfo(); ?> would be enough) and upload it to the www root of your
site
> and name it test.pgif. Then hit http://www.yourdomain.com/test.pgif in
your
> browser. If you see the PHP code or an error then you're fine. If you
see
> PHP's info page then you need to change web host as quickly as
possible. I
> don't care if they fix it - the fact their server was configured to do
this
> by default is enough for me to never trust them again.
>
> -Stuart
> --
>
> Thanks Stuart. I just tried it now, test.php.pgif displayed the info
while
> test.xyz.pgif returned the content, confirming the problem. My
service
> provider finally conceded the problem is on their side and are looking
for
> an urgent fix, much too complicated to consider moving service
providers in
> the short term.
>
> As a side note, the sp said the issue is new and coincided with an
upgrade
> to fastcgi recently, I wonder if the hacker was exploiting a known
issue
> with that scenario?
>
> Cheers
> Arno
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
