CODEWITHSUNDEEP
phpapacheexecution
Alin Razvan
Alin Razvan

Reputation: 1523

Apache executes code in files that have .php prepended before extension ex: .php.txt , php.pdf

What can i do to stop Apache execute code in files that have .php prepended before extension ex: .php.txt , php.pdf , i do not know if this is related to webuzo admin panel n/or apache in general ?

Apache version 2.2.34

Opened thread on webuzo forum ,if anyone else has this issue , it might be related : https://www.softaculous.com/board/index.php?tid=17642

Upvotes: 1

Views: 165

Answers (1)

MrWhite
MrWhite

Reputation: 45829

This is reasonably standard behaviour - files can have multiple extensions on Apache. (As they can on other OS / filesystems.)

However, this behaviour can be avoided.

Whether files that end in .php.txt or .php.pdf are processed for PHP is dependent on how PHP is enabled on the server.

For example, if you simply use AddHandler then any file that contains a .php extension (like .php.txt) will be processed by the PHP handler:

AddHandler application/x-httpd-php .php

However, if you only call SetHandler on the specific file pattern, ie. when .php occurs at the end of the filename, then this behaviour can be avoided.

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>

NB: This is not a copy/pastable solution - it really depends on how PHP is implemented on your Apache web server.

Depending on your requirements you could potentially block requests to files that contain a .php extension, but not at the end of the URL-path. For example:

<FilesMatch "\.php\.">
    Order Allow,Deny
    Deny from all
</FilesMatch>

NB: This is Apache 2.2 syntax (as stated in the question). If you are on Apache 2.4 then you'd use Require all denied instead of the Order and Deny directives in the last block.

Upvotes: 2

Related Questions