PHP Breaks in VirtualHost Mime Type
Name-based virtual hosting permits separate web addresses to be set up for PHP script downloads without the script being run, solving some of the security problems downloading and accessing PHP scripts can cause. System administrators can define the mime types to control how python files with the .php file extension are handled by the virtual host web server when displaying web pages to users.
Other People Are Reading
-
Virtual Host Mime Types
-
MIME types identify the type of content being sent to a user such as graphics, text files and sound files. Virtual hosts use a VirtualHost directive to manage the configuration for each virtual server host. The TypesConfig file is the MIME type configuration file for a virtual host. The name of the virtual host can be accessed through the MIME type. According to “Pro Python System Administration,” “the return object sets the MIME type of the response to ‘text/plain,’ which allows you to download the URL directly to the configuration file.”
Security Risks
-
The location of downloaded PHP scripts can affect computer security. The location of PHP scripts stored on a computer can create security risks. “Linux Server Security” warns “don’t put a script interpreter program in a CGI directory. For instance, don’t put the binary for Perl or a standalone PHP in /usr/local/apache/cgi-bin.” A PHP script stored in the CGI directory can be run by a general user on a computer otherwise set to only permit administrators to install and run software. If PHP scripts include malicious software, storing the script in the CGI directory allows it to be run automatically by anyone.
-
Uploaded File Permissions
-
PHP uploads files to the temporary PHP directive upload_tmp_dir. PHP uploads saved to the upload_tmp_dir are viewable by all user classes. “Linux Server Security” says “you may want to define upload_tmp_dir to some directory in a virtual host’s file hierarchy.” PHP files saved in the virtual host’s file hierarchy are accessible via an autoglobal array $_files.
Allowing Download without Action
-
Internet service providers can use virtual hosts to run multiple websites off the same physical web host server. Virtual hosts can be set up with a unique IP address for each URL. A name based virtual host for the separate URLs can also be used to conserve IP addresses. Using the “get” command to retrieve a PHP script from a website runs the script by default. To prevent this problem, one URL can be created to download the script while another URL is created to allow the running of the file. Users are able to view, edit and save the PHP script without activating the code.
-
References
- “Apache HTTP Server 2.2 Official Documentation - Volume III. Modules (A-H)”; The Apache Software Foundation; 2010
- “LPI Linux Certification in a Nutshell”; Steven Pritchard, Linux Professional Institute, Nicolai Langfeldt; 2006
- “Linux Server Security”; Michael D. Bauer; 2005
- “Pro Python System Administration”; Rytis Sileika; 2010
- “Red Hat Fedora Linux Secrets”; Naba Barkakati; 2005
- “Apache Essentials: Install, Configure, Maintain”; Darren James Harkness; 2004
Resources
- Photo Credit Thinkstock Images/Comstock/Getty Images Jupiterimages/Photos.com/Getty Images
