What it involves is the ability of Apache to run any php code in a file as long as the filename has ".php" in the file name. Therefore uploading a file named filetest.php.rar and opening the file in a browser window will execute the code.
example from URL above…
How can I find out if my webserver is vulnerable?
Create a plain-text file with this content:
Code:
<?php print ‘Oops, my webserver is vulnerable’; ?>, name it test.php.rar, upload it to your webserver (by Coppermine methods or by FTP) and run it in your browser by entering the URL of the file you uploaded into the browser’s address bar. If the susequent page shows the message
Quote
Oops, my webserver is vulnerable
, then you really should be alarmed. If it returns garbled text, the PHP source code or just asks you to download the file, then your webserver probably is configured OK and you’re not vulnerable.
I guess the question is, how does the hacker get the file uploaded to your server?
I just wiped clean and reloaded a server that was constantly hacked and couldn’t figure out how they were getting in. Now, taking this into account, I see the server had uploadable programs ie, banner exchange, news article archive site etc.
Is there a way to block ".rar" files? No pun intended but it is rare to find .rar archive files now days. Or can we tweak Apache to disregard filenames after the .php?
yea… but, all they have to do is name the file some name for which you have not addressed a mime type setting. Then apache disregards that portion of the filename and goes ahead and decides that the file must be php and runs the code.
what I mean is… all they have to do is name the file "filetest.php.raru" OR "filetest.php.rararu" OR "filetest.php.rur", etc., etc.
Despite assertions to the contrary by the Coppermine folks…this is a security bug in Coppermine. No web applications should allow arbitrary files to be created on the server in executable space by untrusted users, and that’s what the exploit is all about.
Presumably the current version of Coppermine sanitizes filenames and prevents this kind of problem.