Is it dangerous to leave mod_mime_magic active in Apache?

4

I was once arguing with a more experienced programmer than myself (the user @Bacco ) about uploading files.

I was commenting with it it did not make sense for someone to try uploading a file with jpg extension having in the content a PHP script inside and that there was no need to worry about that since Apache would not read the content like PHP (as I believe I have seen a configuration in apache where the file extensions that will be interpreted as PHP are informed).

However, this user has reported that this can be risky if the mod_mime_magic extension is enabled in Apache, because theoretically (for me it is theoretically because I have never used it) would interpret a file based on the file's mime, / p>

As far as my experience goes, I know there would be problems doing a include (of PHP) in that file, then it would be interpreted as PHP. But I've never had problems with Apache interpreting a JPG as PHP.

This obviously left me with some concerns and I would like to know a few things about it:

  • How does this mod_mime_magic of Apache work in detail?

  • Is this mod_mime_magic really dangerous like this?

  • Is it active by default in Apache?

  • How do I know if it is active or not?

  • If I want to enable mod_mime_magic , how could I ensure that a file that has been "upado" for my application has no "malicious content in disguise"?

asked by anonymous 18.10.2016 / 13:19

1 answer

2

I can not see a security hole in this module, as per the documentation link the context for using MimeMagicFile is only server configuration and virtualhost, ie only someone with administrative level (or better, with complete control over the server) could exchange the magic file for something with problems, if something fails in this context, so it's a problem that goes way beyond the modules.

Look at the "problem" occurring, we would first have to create a file named /home/user/meumagic with this content (it's just an example):

# php
0  string  \<\?php             application/x-httpd-php

# Frame
0  string  \<MakerFile        application/x-frame
0  string  \<MIFFile          application/x-frame
0  string  \<MakerDictionary  application/x-frame
0  string  \<MakerScreenFon   application/x-frame
0  string  \<MML              application/x-frame
0  string  \<Book             application/x-frame
0  string  \<Maker            application/x-frame

# MS-Word
0  string  67
MimeMagicFile /home/user/meumagic
3 application/msword 0 string 071011 application/msword 0 string 35-
LoadModule php5_module c:/php/php5apache2_4.dll
AddType application/x-httpd-php .php
<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.ph(p|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>
application/msword

In Apache you would have to configure it like this:

AddType application/x-httpd-php .wallace

So in this case any file you eat with <?php will execute, however see that it is very laborious, this is practically an induced security fault.

How could an upload file run as a php script?

As far as I understand the modules I know of Apache, the only one that could really cause a security breach would be ForceType of the core module, before explaining about it I'll explain how php scripts run in apache most of the time)

Apache to run PHP can use several methods, however the most common are Fast-CGI and the Apache2handler (the latter most common in Windows). >

For you to define what php will execute, you will configure the file extensions enabled in httdp.conf so (this example would be in windows):

ForceType application/x-httpd-php

Or:

<?php
echo 'Oi';

Or even (php2, phtml):

http://site-vulneravel.com/uploads/upload.jpg

So here's the "mimetype" application/x-httpd-php for the extension .php and .phtml and you could use any extension to create one like this:

# php
0  string  \<\?php             application/x-httpd-php

# Frame
0  string  \<MakerFile        application/x-frame
0  string  \<MIFFile          application/x-frame
0  string  \<MakerDictionary  application/x-frame
0  string  \<MakerScreenFon   application/x-frame
0  string  \<MML              application/x-frame
0  string  \<Book             application/x-frame
0  string  \<Maker            application/x-frame

# MS-Word
0  string  67
MimeMagicFile /home/user/meumagic
3 application/msword 0 string 071011 application/msword 0 string 35-
LoadModule php5_module c:/php/php5apache2_4.dll
AddType application/x-httpd-php .php
<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.ph(p|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>
application/msword

All files ending in .wallace will run PHP scripts.

Now returning to ForceType , imagine that somehow the upload script developer did not filter the upload and this allows him to upload a .htaccess file with this content:

AddType application/x-httpd-php .wallace

And then on the next upload it will send a .jpg (in this .jpg) with the following content:

ForceType application/x-httpd-php

And the upload folder has permissions to execute and public access, so the malicious person would access like this:

<?php
echo 'Oi';

It would run the script.

Note that for the security breach to occur they were accurate:

  • Permission in uploads folder to execute script
  • Folder uploads to be published (or accessible via http)
  • Lack of filters / validation in upload script

So you ask yourself, but this is impossible, maybe for those who have the minimum of knowledge and / or responsibility, yes, but several "developers" this can happen yes.

Answering the questions in the topic

  • How does this Apache mod_mime_magic work in detail?

    • Answer: It changes the magic file containing mime-types for file identification, .htaccess does not have access
  • Is this mod_mime_magic really dangerous like that?

    • Answer: I would say no, if it were to be the cause of a security problem, it was because of irresponsibility of someone with full control over apache
  • Is it active by default in Apache?

    • Response: Varies from server to server.
  • How do I know if it is active or not?

    • Answer: I believe just looking at httpd.conf, since it is only accessible at this "level"
  • If I want to enable mod_mime_magic , how could I ensure that a file that has been "upado" for my application has no "malicious content in disguise"?

    • Answer: As I explained in the rest of the answer I do not believe that it could cause this problem and if it occurs it is not a fault directly from him but from who controls the server.
18.10.2016 / 16:44