CSS file execute as PHP

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

CSS file execute as PHP

Post by alex.barylski »

Is there a way using .htaccess I can tell apache to hand certain JS, CSS and GIF files to PHP?

I thought the default for PHP was to execute a file regardless - the minute it detected PHP start tags or similar?

I had a server hijacked a while back because I allowed uploading of images based on file extension only, which an attacker used to upload a pHP script disguised as a *.GIF file???

How do I enable that functionality?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

I'm not familiar with the usage of .htaccess for changing files, but you could always check the headers of the file being upload as a validation that it's not an html, php, js, or css file.

Also, $_FILES['file']['type'] should be of use to your upload script.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Re: CSS file execute as PHP

Post by volka »

Hockey wrote:I thought the default for PHP was to execute a file regardless - the minute it detected PHP start tags or similar?
No, you're telling the webserver which files are to be handled by php.
For an apache e.g.
http://www.php.net/manual/en/install.unix.apache2.php wrote:AddType application/x-httpd-php .php .phtml
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

superdezign wrote:I'm not familiar with the usage of .htaccess for changing files, but you could always check the headers of the file being upload as a validation that it's not an html, php, js, or css file.

Also, $_FILES['file']['type'] should be of use to your upload script.
Hehe...I'm not looking to secure my upload script...I was just recalling how a attacker used a GIF which was actually a PHP script to carry out an attack on my server. Besides, I don't think checking $_FILES would be a safe method. The only safe bet is to check a files magic bytes in the actual file itself.

volka thanks for that snippet, but how then, did that attacker I mention use a GIF to carry out a PHP attack?

Come to think of it, maybe it was image.php.gif

But I am sure someone here told me that PHP just executed whatever was thrown at it... :?
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

But I am sure someone here told me that PHP just executed whatever was thrown at it...
On his configuration that could well be true (ish) but usually that is not the case.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Anything PHP is requested to parse will have any PHP contained executed.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

"addHandler" is another option - I forget which one, but I think only one works in .htaccess
Post Reply