Kauft das PHP-Sicherheitsbuch!Links (Profil nur für Xing-Mitglieder sichtbar)  Rootserver, Colocation, Hosting My amazon wishlist VServer Hosting Syndicate This Blog |
Monday, December 5. 2005Apache and .php.bak files
A rather interesting, but kinda short thread on Full-Disclosure raises a question: Why does Apache parse .php.{bak|cpp|java|many others}? I don’t see a module in Apache that could be responsible for this kind of behavior, and I can reproduce it on my local Apache 1.3/PHP 4.4.1 installation. Does anyone have ideas about this? 
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Hi
This behaviour is caused by the Apache negotiation_module : http://httpd.apache.org/docs/1.3/mod/mod_negotiation.html Regards
Apache will send a user any file you throw at it, The only question is what it does with that file.
If apache doesn’t know how to handle the file its sent as plain text.
Richard there is a little misunderstanding...
Apache does NOT send these files as plaintext, they are executed as PHP files.
More important than the question of why apache shows these files is why you are putting them there in the first place.
Backup files should not be getting put in to your web root. I assume they are being created automatically by your editor, well any editor worth using is also capable of putting these files in a pre-defined location so that your working directories are not cluttered with .bak files and such. I use vim and have it set to put all of my backup files into a ~/.vim/backup/ directory and store all swap files in ~/.vim/swap/. You should be able to change this in your prefs.
Well, I am surely not putting them there - I was merely reading a thread on Full-Disclosure (as stated in the blog entry!) and wondering why that behavior occurs.
Ah, well as Richard thomas said, apache has to be told how to deal with a .bak file if you want it to do something other than just print it to the client directly. You could have it hide any files of extensions you don’t want displayed.
I don’t think Christopher is asking what Apache will do with a .bak file extension - it’s specifically the foo.php.bak naming convention he’s interested in. Guillaume Plessis’s answer seems very likely, since mod_negotiation is what makes index.html.de considered to be an HTML file.
Exactly. I think I’m not dumb enough to save .bak files, or any other backup/safety copy archives of my site on the actual site - nobody should do that ever. If you’re german, you might remember Peter Huth’s kunden.txt
 Obviously, this is a mod_mime thing. I tried to disable mod_negotiation and mod_mime_magic, as well as turn off “Options MultiViews”, as suggested on Full Disclosure, but none of that had any effect. Since disabling mod_mime effectively renders an Apache web server useless, I didn’t do that, but I can’t imagine any other module that might be responsible for this bug/feature. Actually, it’s not bad security-wise, since even if someone forget their UltraEdit backup copies in their web root, no-one can see the actual PHP code. It means we have to correct the chapter about information disclosure in our book, though. |
