Is it dangerous to leave mod_mime_magic active in Apache?

Asked

Viewed 414 times

4

Once I was arguing with a programmer more experienced than me (the user @Bacchus) about uploading files.

I was commenting on it not making sense for someone to try to upload a file with extension jpg having in the content a PHP script inside and that was not necessary to worry about it, since Apache would not read the content as PHP (because I believe I have seen a configuration in apache where is informed the file extensions that will be interpreted as PHP).

However, this user informed that this can be risky if the extension mod_mime_magic is enabled in Apache, because theoretically (for me it is theoretically never used) would interpret a file based on the mime of the file and not the extension.

As far as my experience goes, I know that problems would occur when making a include (from PHP) in this file, then it would be interpreted as PHP. But I never had problems with Apache interpreting a JPG as PHP.

This obviously left me with some concerns and I would like to know a few things about:

  • How this works in detail mod_mime_magic apache?

  • That one mod_mime_magic it’s really that dangerous?

  • It comes active by default in Apache?

  • How to know if it is active or not?

  • If I want to activate the mod_mime_magic, how could I ensure that a file that has been "uploaded" to my application has no "malicious content disguised"?

apache filing-cabinet server upload mime-type
  • 2

    I won’t post a full reply now, but here is a summary for those who didn’t pick up the chat conversation: the Mime-Magic module uses the system’s mime-Magic file to determine the file type according to its content, rather than the extension. This can cause a system that checks image uploads by the extension to let some user up a "disguised" PHP with GIF extension, for example, which for Apache, will be understood as PHP because of the module.

1 answer

2

I can not see a security fault in this module, as according to the documentation https://httpd.apache.org/docs/2.4/mod/mod_mime_magic.html#mimemagicfile the context to use MimeMagicFile is only server configuration and virtualhost, ie just someone with administrative level (or better, with complete control over the server) could exchange the Magic file for something with problems, if something fails in this context, then it is a problem that goes far beyond the modules.

See for "problem" to occur, we would first have to create a named file /home/user/meumagic with this content (is just an example):

# php
0  string  \<\?php             application/x-httpd-php

# Frame
0  string  \<MakerFile        application/x-frame
0  string  \<MIFFile          application/x-frame
0  string  \<MakerDictionary  application/x-frame
0  string  \<MakerScreenFon   application/x-frame
0  string  \<MML              application/x-frame
0  string  \<Book             application/x-frame
0  string  \<Maker            application/x-frame

# MS-Word
0  string  \376\067\0\043            application/msword
0  string  \320\317\021\340\241\261  application/msword
0  string  \333\245-\0\0\0           application/msword

In apache would have to set so:

MimeMagicFile /home/user/meumagic

So in this case any file that ate with <?php will perform, however see that it is quite laborious, this is practically an induced security failure.

How an upload file could run as a php script?

As far as I understand of the modules I know of Apache the only one that could actually cause a security breach would be the ForceType of the "core" module, before explaining about it I will explain how the execution of php scripts in apache works (most of the time)

Apache to run PHP can use several methods, but the most common ones are Fast-CGI and the Apache2handler (the latter more common on Windows).

For you to set what will run php yourself will configure the file extensions enabled in httdp.conf so (this example would be in windows):

LoadModule php5_module c:/php/php5apache2_4.dll
AddType application/x-httpd-php .php

Or:

<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>

Or even (php2, phtml):

<FilesMatch "\.ph(p|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>

Then see that "mimetype has been added" application/x-httpd-php for the extension . php and . phtml and with it you could use any extension, until you create one like this:

AddType application/x-httpd-php .wallace

All files terminated in .wallace will run PHP scripts.

Now back to the ForceType, imagine that somehow the developer of the upload script did not make a filter in the upload and this allows him to upload a file .htaccess with this content:

ForceType application/x-httpd-php

And then in the next upload it send a . jpg (in this .jpg) with the following content:

<?php
echo 'Oi';

And breaking the upload folder has permissions for running and public access, so the malicious person would access it so:

http://site-vulneravel.com/uploads/upload.jpg

He would run the script.

Note that for security failure to occur were accurate:

  • Permission in folder uploads to run the script
  • Briefcase uploads be published (or accessible via http)
  • Lack of filters/validation in upload script

So you ask yourself, but this is impossible, maybe for those who have the least knowledge and/or responsibility yes, but several "developers" this can happen yes.

Answering questions in topic

  • How this Apache mod_mime_magic works in detail?

    • Answer: It changes the Magic file containing mime-types for file identification, . htaccess has no access

  • This mod_mime_magic really is dangerous like this?

    • Answer: I would say no, if he came to be the cause of some security problem it was because of the irresponsibility of someone with full control over apache

  • It comes active by default in Apache?

    • Answer: Varies from server to server.

  • How to know if it is active or not?

    • Answer: I believe that only by observing httpd.conf, since it is only accessible at this "level"

  • If I want to activate the mod_mime_magic, how could I ensure that a file that has been "uploaded" to my application has no "malicious content disguised"?

    • Answer: As I explained in the rest of the answer I do not believe that it could cause this problem and if it happens it is not a fault directly of him and yes of who controls the server.

Browser other questions tagged apache filing-cabinet server upload mime-type

You are not signed in. Login or sign up in order to post.