[MacPorts] #38452: PHP code disclosure vulnerability with apache2 and other web servers (was: Apache on HFS Critical Security Issue)
Bradley Giesbrecht
pixilla at macports.org
Thu Mar 21 09:53:39 PDT 2013
On Mar 21, 2013, at 9:10 AM, Clemens Lang wrote:
> On Thu, Mar 21, 2013 at 08:29:38AM -0700, Bradley Giesbrecht wrote:
>> If you have mod_rewrite available this appears to work around the problem for me:
>> ...
>> RewriteCond %{SCRIPT_FILENAME} .+\.p.+hp$ [NC]
>> RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,QSA]
>> ...
>
> Be warned that doing this will only fix the scpecifc attack mentioned in
> the ticket. The unicode bytes could however also be added between
> "<filename>.ph" and "p" instead of between "p" and "hp".
>
> So, your solution is not a secure workaround!
> Also, there probably are other unicode symbols that can be used in this
> place to exploit the vulnerability.
FWIW:
Compiling and installing mod_hfs_apple.so from here did not work for me:
http://opensource.apple.com/source/apache_mod_hfs_apple/apache_mod_hfs_apple-11/
However, copying Apples mod_hfs_apple.so from a Mac OS X Server does appear to solve the problem.
Has anyone heard of an Apple patch for mod_hfs_apple.so?
Regards,
Bradley Giesbrecht (pixilla)
More information about the macports-dev
mailing list