Bug#562006: apache2 default php setup is wrong

To: submit@bugs.debian.org
Cc: francois.gingras@gmail.com
Subject: Bug#562006: apache2 default php setup is wrong
From: Paul Tagliamonte <paultag@ubuntu.com>
Date: Mon, 21 Dec 2009 17:15:11 -0500
Message-id: <[🔎] bc5805c30912211415s28fee465recbc3985d9ed0261@mail.gmail.com>
Reply-to: Paul Tagliamonte <paultag@ubuntu.com>, 562006@bugs.debian.org

package: apache2
version: 2.2.14-4
tags: security

Hey Apache,

Small ( 4 line patch ) is needed on /etc/apache2/mods-available/php5.conf

all that is required is a change from

AddType application/x-httpd-php .php

to

<FilesMatch \.php$>
  SetHandler application/x-httpd-php
</FilesMatch>


the issue lies in the fact that AddType 'suggests' to the HTTP clients
what to do with .php files, instead of forcing the server to parse it.
This causes the server to hand out the PHP file because it depends on
the client to ask nicely.

This behavior, and work-around is outlined clearly here [1].

This can be considered a security risk, it is common to have passwords
and other sensitive data in the php script.

All the best,
Paul Tagliamonte

[1]: http://wiki.apache.org/httpd/DebianPHP


-- 
#define sizeof(x) rand()
:wq

Reply to:

Follow-Ups:
- Bug#562006: apache2 default php setup is wrong
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Bug#561729: apache: installing packages such as squirrelmail or pgpgroupware break apache with a segfault
Next by Date: Bug#562006: apache2 default php setup is wrong
Previous by thread: Bug#157734: workaround for wrong Accept-Language headers
Next by thread: Bug#562006: apache2 default php setup is wrong
Index(es):
- Date
- Thread