Code execution prevention ineffective when PHP handler set in Apache If directive

Created on 15 May 2020, almost 5 years ago
Updated 12 April 2023, almost 2 years ago

The Code execution prevention (in Files directory .htaccess) will not function if the PHP handler is set inside an Apache If directive.

Tested on Drupal version 7.69. Believed to also affect 8.x.

You can see this vulnerability by:
1. Configure Apache to handle PHP using the attached configuration for PHP-FPM. (Note that the If "-f %{REQUEST_FILENAME}" configuration is recommended by https://cwiki.apache.org/confluence/display/HTTPD/PHP-FPM#PHP-FPM-Proxyv... )
2. Install Security Review module and run Security review checklist.
3. Security Review Executable PHP in files directory test will show that execution of PHP files in the files directory is allowed.

This happens because the Apache If directive is merged after the Files * directive in files/.htaccess.

A potential fix is to add an If directive to files/.htaccess. For example see attached potential_fix.txt.

Background information

  • security.drupal.org private issue: https://security.drupal.org/node/171843
    (included for reference. Please do not report access denied as an error.)
  • Conclusion of the Drupal Security Team was that this issue could be made public. The reason is hackers already try to execute files in these directories even on sites where the protection is working. The public knowledge that a site could be vulnerable doesn't actually increase the risk.
  • Credit for helping with the private issue: cilefen, catch, mcdruid
🐛 Bug report
Status

Active

Version

9.5

Component
File system 

Last updated 6 days ago

Created by

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Needs manual testing

    The change/bugfix cannot be fully demonstrated by automated testing, and thus requires manual testing in a variety of environments.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇬🇧United Kingdom catch

    potential_fix.txt should be converted to an MR or patch.

    Apart from the existing files htaccess protection test coverage, I don't see a way to validate this apart from manual testing, so tagging for that.

  • Assigned to kentr
  • 🇺🇸United States kentr Durango, CO
  • Merge request !10721Issue #3136788: Add SetHandler inside If → (Open) created by kentr
  • Pipeline finished with Failed
    3 months ago
    Total: 133s
    #380555
  • Pipeline finished with Success
    3 months ago
    Total: 3347s
    #380587
  • 🇺🇸United States kentr Durango, CO

    There's an MR for review.

    A few FunctionalJavascript tests errored but passed on retry.

    FWIW, access to PHP files in sites/default/files is currently blocked by the root .htaccess.

    With this change, the Security Review overview still states that PHP files in the Drupal files directory can be executed.

    However, I've confirmed manually that they are not executed: the raw PHP source is served. It looks like a case of ambiguity in the messaging. Here's the details message:

    The Drupal files directory is for user-uploaded files and by default provides some protection against a malicious user executing arbitrary PHP code against your site. Read more about the risk of PHP code execution on Drupal.org.

    The .htaccess file is writable which poses a risk should a malicious user find a way to execute PHP code they could alter the .htaccess file to allow further PHP code execution.

    I've attached a new PHP-FPM config to reproduce this.

  • 🇺🇸United States smustgrave

    This could use an issue summary update.

  • 🇺🇸United States kentr Durango, CO

    Updated the issue summary.

  • 🇬🇧United Kingdom longwave UK

    I thought we could extend Drupal\Tests\system\Functional\System\HtaccessTest to try and cover this case, but given that it also needs php-fpm in a specific configuration it's not going to be very easy to recreate in CI.

    While this is a security hardening, we can't entirely control what people might do with Apache directives and .htaccess; as this requires modifying the root .htaccess I am tempted to say that if you are doing that then you are on your own. But on the other hand I suppose this hardening can't harm anything if we do add it?

  • 🇬🇧United Kingdom longwave UK

    Tagged "needs work" because this still has the "needs manual testing" tag.

Production build 0.71.5 2024