[VIM] PHP File Upload Vulnerability with extra Extension

GM darkfig gmdarkfig at gmail.com
Wed May 14 19:23:24 UTC 2008

Hi =)

If the filename is a well-known extension (jpg, gif, etc...), it can
be interpreted as
a php file if there is a .htaccess file with this type of content:

# backdoor.php.jpg
AddHandler application/x-httpd-php .php

If the extension is unknown (zzz, jpx, etc...), it can be interpreted
as a php file if
the module mod_mime is loaded:

# backdoor.php.xxx
LoadModule mime_module modules/mod_mime.so

- darkfig

2008/5/13 str0ke <str0ke at milw0rm.com>:
> Thank you both for the explanation.
> regards,
> /str0ke
> Matthew Murphy wrote:
>> On May 12, 2008, at 2:28 PM, str0ke wrote:
>>> I have forgotten what caused the vulnerability where you upload a file
>>> such as somefile.php.jpg and it can be executed as a php script.  I know
>>> this isn't a php vulnerability as much as an addon.  I think in the past
>>> it was suexec that caused this but not sure.  Anyone have a clue?
>>> Regards,
>>> /str0ke
>> It's a design decision, according to ASF.  The idea is that you can
>> have multiple extensions, e.g:
>> index.html.en
>> Both of which affect the content processing in some way.  The .html
>> file tells the core that it is a static document, but the .en tells
>> mod_negotiation that it is an English-language version of
>> 'index.html'.  The same processing is done for PHP content, e.g.:
>> index.php.fr
>> Will be processed if I request 'index.php' with an Accept-Language
>> header including 'fr' or a subcode of it.
>> - Matt

More information about the VIM mailing list