Thursday, December 29, 2016

bypass of php file extension blacklist for file uploads in standard ubuntu 12.04 lts LAMP setup

Weeks ago during a penetration test I bypassed a file upload filter by naming the file php. [dot].

I thought my customer fucked up the config but nevertheless I tried to reproduce.
I downloaded a Ubuntu 12.04 LTS and installed the standard LAMP setup.
I was really surprised that the ".php." file extensions gets executed like ".php".
I wrote a mail to the httpd security list and after some mails the conclusion is, that its done by mod_php together with the standard mime times defined in  /etc/mime.types
(Newer Versions use FilesMatch in /etc/apache2/*)