|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Security-Discuss] Possible PHP hole in Perl?
From: Bob Puff
NLE (PuffNLE)
Date: Mon Jun 14 2004 - 19:21:27 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Ronald,
At least in Mdk 8.2 and up, if you installed Apache and Apache-mod_perl, the Apache-mod_perl would
answer on port 8200. I've got an app that runs in perl, and it runs much faster under the apache
mod_perl server. Good stuff.
Now here's the problem: let's say you have a php file that accesses a database. Within the php
file, you put the username/password for the database. Normally, a user would never see this code,
as it is executed by the php processor called from Apache. Let's say your file is called test.php.
So if you browse: http://yourserver/test.php, you'll see the rendered page. However, if you
browse http://yourserver:8200/test.php, it triggers a download of the actual (unrendered) php file,
comments and all. Normally, one would not try to access a php file via the apache mod_perl, but I
just tried doing it on a bunch of machines here, and it does the above on all of them.
This could be a huge security leak. I know at least for my scripts, it will reveal sql passwords,
and certain file paths.
For now, I've disabled the port 8200 on those sites. But there must be some simple fix.
Bob
Ronald Ip wrote:
> On Mon, 2004-06-14 at 12:04, Bob Puff wrote:
>
>>Hmm, I just tried this with a pretty stock 9.0, as well as a 9.2 install of
>>Apache2 and Apache-perl, and the same thing - when browing a .php page on the
>>Apache-perl port, I see the original php source.
>>
>>If this is a misconfig in the apache-perl config, what part tells it to
>>include the php rendering engine? It certainly appears to be not working by
>>default.
>
>
> The directives to be included into httpd.conf by php is usually found in
> /etc/httpd/conf.d/*_mod_php.conf
>
> I'm not exactly sure if apache-perl should be used to serve php pages
> alone(?). When I used Apache1, both Apache1 and Apache1-perl, were made
> work together by default. Allowing the Apache1 to handle regular pages
> and Apache1-perl handle the dynamic stuff. http://www.advx.org/
>
> Therefore, I am quite confused by "when browing a .php page on the
> Apache-perl port, I see the original php source."
>
> The Apache-perl port part. How did u access it? Via regular port 80?
>
> Please correct me if I am wrong.
>
> --Ronald
>
>
>>Bob
>>
>>---------- Original Message -----------
>>From: "Ronald Ip" <myselfiphoting.com>
>>To: security-discusslinux-mandrake.com
>>Sent: Mon, 14 Jun 2004 00:41:51 +0800 (SGT)
>>Subject: Re: [Security-Discuss] Possible PHP hole in Perl?
>>
>>
>>>Hi,
>>>
>>>Bob PuffNLE said:
>>>
>>>>Hello,
>>>>
>>>>Just saw this tonight on one of my boxes. If I have mod_perl running as a
>>>>webserver on port 8200
>>>>(the default), and I browse to a .php page, the page is sent without being
>>>>rendered by the php
>>>>engine - exposing some potentially juicy stuff. Is this a
>>>>misconfiguration on my part, or a
>>>>real hole?
>>>
>>>It's more like a mis-config. Check that you have the relevent directives
>>>required by php in ur httpd.conf.
>>>
>>>
>>>>Bob
>>>>
>>>>Example: http://localhost:8200/myfile.php
>>>>
>>>>
>>>>
>>>
>>>--
>>>Ronald Ip myselfiphoting.com
>>>gpg public key http://iphoting.iphoting.com/iphoting.asc
>>>Fingerprint: {6A7E AB1E A822 E621 4DEC 11C4 F355 0635 71D7 1151}
>>
>>------- End of Original Message -------
>>
>>
>>
>>______________________________________________________________________
>>____________________________________________________
>>Want to buy your Pack or Services from MandrakeSoft?
>>Go to http://www.mandrakestore.com
>>Join the Club : http://www.mandrakeclub.com
>>____________________________________________________
>
> --
> Ronald Ip myselfiphoting.com
> gpg public key http://iphoting.iphoting.com/iphoting.asc
> Fingerprint: {6A7E AB1E A822 E621 4DEC 11C4 F355 0635 71D7 1151}
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]