security hole for files with a dot at the end

I received an email this morning saying that KFM has a security hole – if a user creates a file named “test.php.” (note the ‘.’ at the end), then it is run as if it was “test.php”, even if you explicitly banned the .php extension in your settings.

I immediately added a line of code to ban all filenames which end in ‘.’, released a new version of 1.3 (available on the front page of the site) and corrected 1.4 in SVN.

After thinking about it, I realised that the security problem is not as serious as it may seem (for KFM – not in general). It’s definitely a problem, but in order to use it, you need to have access to a KFM instance in the first place. As securing KFM is not difficult, I think the problem may be contained.

But I digress – this appears to be a problem in Apache. To test it, I checked if renaming a Perl CGI file from .cgi to .cgi. would work, and it did.

This is a little disturbing, as it does not appear to be documented anywhere, so there is no way that a developer would know to avoid this security hole.

So, if you write programs that allow your users to upload or rename files online, make sure that the filename does not have a ‘.’ at the end!

edit: OMG! I was reading the Apache source to try spot the problem, and found the area where it happens – it’s in the file “http/mod_mime.c”. The function “find_ct()” extracts the extension for the server to use. Unfortunately, it ignores all extensions it does not understand, so it’s not just a case of “test.php.” being parsed as ‘.php’, but also “test.php.fdabsfgdsahfj” and other similar rubbish files! This is a serious problem.

There are a number of solutions to this:

  1. Possibly the correct solution: Keep your downloadables outside the web-accessible area and force the download through a PHP script. Doesn’t matter what extension the file has then.
  2. Tricky but easier to make portable: Write your own extension identifier using the httpd source as a guide, so you know what Apache will identify the file as (annoyingly complex, possibly, but I’ll need to do it…)
  3. Easiest, but most annoying for users: Only allow one ‘.’ per filename.
  4. More difficult, but possibly also correct: Convince Apache that this needs to be fixed, then upgrade immediately when the fix is available.

further update: An easy solution. This problem rears its head when PHP is identified in your httpd.conf using this:

AddHandler php5-script .php

the solution is to change the above to specify the extension must be at the end.

<FilesMatch \.php$>
  SetHandler php5-script
</FilesMatch>

online autism test hack

I was speaking with m1 in the ILUG chatroom today, and he mentioned an online autism test on Wired.com.

When you fill that out, and submit it, though, you will be shown the source code of the script which was supposed to calculate the results.

To get it to work, download the source, copy it into a .pl file, and upload it to your own server into your own cgi-bin (chmod to 755 before uploading). Then open up the test, use Firebug to edit the ‘action’ parameter of the form to point to your machine, and there you go!

If you want to try it out yourself, my copy of the file is here: http://verens.com/cgi-bin/autistic.pl – go to the wired.com form, change its action using Firebug (“inspect” the form, and click the action parameter to change it), then fill in the form and submit.

I scored 32, by the way, which is not quite the social animal I’m sure everyone takes me for, but also not extremely autistic. (of course, a few of those questions were confusing, so I may have got them wrong 😉 )

what am I up to?

My wife is in hospital with an absess on her eye, so I’m stuck at home minding Jareth, my 3yo son.

I don’t have time to work on KFM at the moment, but work is progressing anyway – Benjamin Ter Kuile has been hacking away at it feverishly – he’s currently working on the Image code. We plan to have all thumbnails contained within the sqlite database for version 0.7. I received an Italian language file from Stefano Luchetta, which, together with Hannu Nemi’s Finnish translation, makes a total of ten languages!

I’m busy with a rather large project which I can’t reveal details about, but can say that it involves Perl and a few different DB versions. Perl is a bit of a bugger, after you’ve been used to PHP, and PostgreSQL is just a pain in the behind…

I translated my Kaejax framework from PHP into Perl last night, after much hardship, and am currently strugging with JavaScript – a previous developer on this project made a decision to use the Prototype JS library. That’s not a bad decision, but it is interfering with my own scripts such that some simple things are not working as expected.

All in all, I’m incredibly busy. Thank $DEITY monday is a bank holiday, as I think I’ll need it, in order to catch up with everything!