I can not see a security hole in this module, as per the documentation link the context for using MimeMagicFile
is only server configuration and virtualhost, ie only someone with administrative level (or better, with complete control over the server) could exchange the magic file for something with problems, if something fails in this context, so it's a problem that goes way beyond the modules.
Look at the "problem" occurring, we would first have to create a file named /home/user/meumagic
with this content (it's just an example):
# php
0 string \<\?php application/x-httpd-php
# Frame
0 string \<MakerFile application/x-frame
0 string \<MIFFile application/x-frame
0 string \<MakerDictionary application/x-frame
0 string \<MakerScreenFon application/x-frame
0 string \<MML application/x-frame
0 string \<Book application/x-frame
0 string \<Maker application/x-frame
# MS-Word
0 string 67MimeMagicFile /home/user/meumagic
3 application/msword
0 string 071011 application/msword
0 string 35-LoadModule php5_module c:/php/php5apache2_4.dll
AddType application/x-httpd-php .php
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.ph(p|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
application/msword
In Apache you would have to configure it like this:
AddType application/x-httpd-php .wallace
So in this case any file you eat with <?php
will execute, however see that it is very laborious, this is practically an induced security fault.
How could an upload file run as a php script?
As far as I understand the modules I know of Apache, the only one that could really cause a security breach would be ForceType
of the core module, before explaining about it I'll explain how php scripts run in apache most of the time)
Apache to run PHP can use several methods, however the most common are Fast-CGI and the Apache2handler (the latter most common in Windows). >
For you to define what php will execute, you will configure the file extensions enabled in httdp.conf
so (this example would be in windows):
ForceType application/x-httpd-php
Or:
<?php
echo 'Oi';
Or even (php2, phtml):
http://site-vulneravel.com/uploads/upload.jpg
So here's the "mimetype" application/x-httpd-php
for the extension .php and .phtml and you could use any extension to create one like this:
# php
0 string \<\?php application/x-httpd-php
# Frame
0 string \<MakerFile application/x-frame
0 string \<MIFFile application/x-frame
0 string \<MakerDictionary application/x-frame
0 string \<MakerScreenFon application/x-frame
0 string \<MML application/x-frame
0 string \<Book application/x-frame
0 string \<Maker application/x-frame
# MS-Word
0 string 67MimeMagicFile /home/user/meumagic
3 application/msword
0 string 071011 application/msword
0 string 35-LoadModule php5_module c:/php/php5apache2_4.dll
AddType application/x-httpd-php .php
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.ph(p|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
application/msword
All files ending in .wallace
will run PHP scripts.
Now returning to ForceType
, imagine that somehow the upload script developer did not filter the upload and this allows him to upload a .htaccess
file with this content:
AddType application/x-httpd-php .wallace
And then on the next upload it will send a .jpg (in this .jpg) with the following content:
ForceType application/x-httpd-php
And the upload folder has permissions to execute and public access, so the malicious person would access like this:
<?php
echo 'Oi';
It would run the script.
Note that for the security breach to occur they were accurate:
- Permission in
uploads
folder to execute script
- Folder
uploads
to be published (or accessible via http)
- Lack of filters / validation in upload script
So you ask yourself, but this is impossible, maybe for those who have the minimum of knowledge and / or responsibility, yes, but several "developers" this can happen yes.
Answering the questions in the topic
-
How does this Apache mod_mime_magic work in detail?
- Answer: It changes the magic file containing mime-types for file identification, .htaccess does not have access
-
Is this mod_mime_magic really dangerous like that?
- Answer: I would say no, if it were to be the cause of a security problem, it was because of irresponsibility of someone with full control over apache
-
Is it active by default in Apache?
- Response: Varies from server to server.
-
How do I know if it is active or not?
- Answer: I believe just looking at httpd.conf, since it is only accessible at this "level"
-
If I want to enable mod_mime_magic
, how could I ensure that a file that has been "upado" for my application has no "malicious content in disguise"?
- Answer: As I explained in the rest of the answer I do not believe that it could cause this problem and if it occurs it is not a fault directly from him but from who controls the server.