Home > IT, Security > Apache AddType Issue

Apache AddType Issue

April 7th, 2009 Leave a comment Go to comments

A recent SANS ISC diary entry mentions an interesting configuration point that I had been previously unaware of. It seems that AddType doesn't just enable the extension, it enables all files containing that string.

Example: AddType application/x-httpd-php .php

In the above example, both phpinfo.php and phpinfo.php.bak would be parsed as PHP.  I found this to be rather interesting and started testing with a few servers I have handy.

It appears as though this isn't the case 100% of the time.

I tested 3 servers running Apache 1.3.34, 2.2.4 and 2.2.8. It was true on the server running Apache 1.3.34, however it wasn't true on the two Apache 2.2 systems.

I contacted the handlers at ISC to follow-up with them, however I haven't heard anything confirming one way or another. Has anyone else tested this on their servers?

Categories: IT, Security Tags:

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

  1. ascii
    April 10th, 2009 at 10:41 | #1
    Reply | Quote

    Old and known, it’s fixed from some time now : )
    Most file uploads attacks worked thanks that “feature”.

    byee
    ascii
    ush.it

  1. No trackbacks yet.