Page 1 of 1

CSS file execute as PHP

Posted: Sat Feb 17, 2007 6:12 am
by alex.barylski
Is there a way using .htaccess I can tell apache to hand certain JS, CSS and GIF files to PHP?

I thought the default for PHP was to execute a file regardless - the minute it detected PHP start tags or similar?

I had a server hijacked a while back because I allowed uploading of images based on file extension only, which an attacker used to upload a pHP script disguised as a *.GIF file???

How do I enable that functionality?

Posted: Sat Feb 17, 2007 7:15 am
by superdezign
I'm not familiar with the usage of .htaccess for changing files, but you could always check the headers of the file being upload as a validation that it's not an html, php, js, or css file.

Also, $_FILES['file']['type'] should be of use to your upload script.

Re: CSS file execute as PHP

Posted: Sat Feb 17, 2007 7:31 am
by volka
Hockey wrote:I thought the default for PHP was to execute a file regardless - the minute it detected PHP start tags or similar?
No, you're telling the webserver which files are to be handled by php.
For an apache e.g.
http://www.php.net/manual/en/install.unix.apache2.php wrote:AddType application/x-httpd-php .php .phtml

Posted: Sat Feb 17, 2007 7:35 am
by alex.barylski
superdezign wrote:I'm not familiar with the usage of .htaccess for changing files, but you could always check the headers of the file being upload as a validation that it's not an html, php, js, or css file.

Also, $_FILES['file']['type'] should be of use to your upload script.
Hehe...I'm not looking to secure my upload script...I was just recalling how a attacker used a GIF which was actually a PHP script to carry out an attack on my server. Besides, I don't think checking $_FILES would be a safe method. The only safe bet is to check a files magic bytes in the actual file itself.

volka thanks for that snippet, but how then, did that attacker I mention use a GIF to carry out a PHP attack?

Come to think of it, maybe it was image.php.gif

But I am sure someone here told me that PHP just executed whatever was thrown at it... :?

Posted: Sat Feb 17, 2007 7:58 am
by Ollie Saunders
But I am sure someone here told me that PHP just executed whatever was thrown at it...
On his configuration that could well be true (ish) but usually that is not the case.

Posted: Sat Feb 17, 2007 8:54 am
by feyd
Anything PHP is requested to parse will have any PHP contained executed.

Posted: Sat Feb 17, 2007 12:07 pm
by Kieran Huggins
"addHandler" is another option - I forget which one, but I think only one works in .htaccess