|
|
Posted by Michael Fesser on 11/04/07 11:09
..oO(william.hooper@gmail.com)
>Yes thats a possibility but this is not a bank web site or a pal pal
>site. Please just tell me how you broke in... I thought by disabling
>files with ".php*" at the end the server would not have run php
>scripts but you have found another way. Please just help me out even
>though you object to the approach in principle. I have been reading
>about it but have not found the answer and meantime my site is down.
I'll try.
It's something in the server configuration. An Apache server can be
configured for a feature called content negotiation (CN). This means the
same resource (a page for example or an image) can be stored in
different versions with different or even multiple file extensions. Then
the server is able to automatically select the most appropriate one to
answer a request.
A simple example - consider these pages:
/foo.html.de
/foo.html.en
/foo.html.es
They are all the same document, but in different languages. If CN is
enabled and someone requests <http://example.com/foo.html>, the server
has three choices and will automatically select the one that matches the
user's preferred language (a bit simplified, but more or less it's like
that).
That's the mechanism, but the really important point here is that the
files on the server can have multiple file extensions. With CN enabled
not all of them have to be passed in the URL when requesting the file -
the server can still search and find them even if you omit some of the
extensions! And that's all I did to bypass your upload restriction. Your
script was checking for a '.php' extension. I just had to add another
arbitrary extension to it (e.g. '.php.42') and the upload worked again.
Because of the CN is was also able to execute the script.
I didn't actually check the configuration of your server (because I
didn't find it where I expected it to be ;-), so I'm not sure if it's
really just the enabled CN on your machine, but it looks like.
The keyword to search for in the server configuration is "MultiViews"
(which is usually not enabled by default). You could also try to add
this to a .htaccess file to disable CN for the site or a directory:
Options -MultiViews
Then try if you're still able to create a file 'phpinfo.php.42' for
example and request it with just 'phpinfo.php'.
Micha
Navigation:
[Reply to this message]
|