Bug#562006: apache2 default php setup is wrong
package: apache2
version: 2.2.14-4
tags: security
Hey Apache,
Small ( 4 line patch ) is needed on /etc/apache2/mods-available/php5.conf
all that is required is a change from
AddType application/x-httpd-php .php
to
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
the issue lies in the fact that AddType 'suggests' to the HTTP clients
what to do with .php files, instead of forcing the server to parse it.
This causes the server to hand out the PHP file because it depends on
the client to ask nicely.
This behavior, and work-around is outlined clearly here [1].
This can be considered a security risk, it is common to have passwords
and other sensitive data in the php script.
All the best,
Paul Tagliamonte
[1]: http://wiki.apache.org/httpd/DebianPHP
--
#define sizeof(x) rand()
:wq
Reply to: