Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug with .php extension?

From: Michael Ligh <michael.ligh () mnin org>
Date: Mon, 5 Dec 2005 07:59:08 -0500
I think this is due to Apache's mod_mime_magic:

http://httpd.apache.org/docs/1.3/mod/mod_mime_magic.html

Lots of phishers are using files named *.php.rar recently.

On 12/5/05, Simon Richter <Simon.Richter () hogyros de> wrote:


Hello,

Ron wrote:


In Apache 1.3.33 (untested on any other version), if you have a file
called file.php.bak, and you navigate to it in the browser, it will run
on the server as a .php file.  This works with any extension that isn't
known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.)


I would think this is related to "Options MultiViews", where a file
generally has many suffixes (file type, language, compression, ...).
Does this also happen to you (yes, I'm too lazy to try right now) if you
turn MultiViews off?

Nevertheless, good idea that script authors should possibly be aware
that any suffix, not just the last, is interpreted.

    Simon


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: