0

I am using PHP 8.1.x with Apache 2.4 and for some strange reason it's also interpreting files like test.php3 when I request then with a browser. It should only interpret *.php files... Why does PHP interpret these other extensions? If so, do you know a list of extensions that PHP interprets by default so I can block those when my customers upload files on forms inside my website? I already block php extension when a user uploads a file so I want to know if there are other extensions like php1, php2, php934 which are also interpreted.

Jonathan
  • 117
  • 1
  • 7
  • 2
    _"a list of extensions that PHP interprets by default"_ - PHP doesn't interpret anything on its own here; it is the web server's job to determine which files to send through the PHP parser. You'll need to check your server configuration. – CBroe Jun 01 '22 at 14:31
  • You can check the Apache configurations to see what's allowed. For my system, I was able to do `grep -R php3 /etc/httpd/*` and get `_default.conf:` – aynber Jun 01 '22 at 14:32
  • @aynber isnt that strange? A huge security threat? Apache interpreting files like .shtml or phtml... how many devs know that their server is vulnerable if they allow file extensions like that on upload forms? – Jonathan Jun 01 '22 at 14:52
  • I think it's legacy settings. Most sites don't allow interpreted pages to be uploaded, if they are, they're uploaded to a non-accessible directory. – aynber Jun 01 '22 at 14:54
  • @aynber I discovered a more dangerous extension! Phar! Files like `test.phar` gets interpreted in all the 8 server I just tried. Extensions like `.shtml` or `.php3` gets only executed in some server (maybe because they differ from PHP/Apache verion) but the `.phar` extensions gets executed on all of them. Anyway, if you wish to post your comment as an answer, I will be glad to accept it! – Jonathan Jun 01 '22 at 15:12
  • @Jonathan you need to whitelist allowed extensions if you're looking for security. Who knows your webserver might also be configured to execute `.cgi, .pl` as perl, `.py` as python, etc. This is not a security vulnerability in itself. Vulnerabilities are introduced when you use blacklists instead of whitelists for user uploads, and further, if those uploads are not processed (e.g. MIME verified, added to non-public directories, etc. depending on your case). – Markus AO Jun 01 '22 at 15:18
  • You need to check mime then put yourself the extension from mime. Only using mime or extension will lead to a security issues. For interpreted extension as said before it is server configuration. – JoelCrypto Jun 01 '22 at 15:45
  • @JoelCrypto could you please elaborate what you said about "mime"? For example, if I allow people to only upload "`.gif`" files (by extension) to a public directory on my website (like `xxx.com/temp/file1.gif`), how could the MIME type cause any vulnerability? I dont think apache will check the MIME of that specific `.gif` file everytime a person requests it using the browser... apache will just return `image/gif` as the MIME of the file, right? – Jonathan Jun 01 '22 at 17:51
  • https://stackoverflow.com/questions/10456113/check-file-extension-in-upload-form-in-php – JoelCrypto Jun 01 '22 at 20:56

0 Answers0