Title: Apache AddHandler/AddType exploit protection
Author: Sebastian Pipping <firstname.lastname@example.org>
Apache's directives AddHandler  and AddType  can be used
to map certain file name extensions (e.g. .php) to a handler
(e.g. application/x-httpd-php). While a line like
AddHandler application/x-httpd-php .php .php5 .phtml
matches index.php, it also matches index.php.png.
AddType application/x-httpd-php .php .php5 .phtml
index.php.png is not executed, but index.php.disabled still is.
Apache's notes on multiple file extensions  document
a multi-language website as a context where that behavior
may be helpful. Unfortunately, it can also be a security threat.
Combined with (not just PHP) applications that support
file upload, the AddHandler/AddType directive can get you into
remote code execution situations.
That is why >=app-eselect/eselect-php-0.7.1-r4 avoids AddHandler
and is shipping
Why this news entry?
* Since Apache configuration lives below /etc,
you need to run etc-update (or a substitute)
to actually have related fixes applied.
To get them into the running instance of Apache,
you need to make it reload its configuration, e.g.
sudo /etc/init.d/apache2 reload
* If you are currently relying on AddHandler to execute
secret_database_stuff.php.inc, moving away from AddHandler
could result in serving your database credentials in plain
text. A command like
find /var/www/ -name '*.php.*' \
-o -name '*.php5.*' \
-o -name '*.phtml.*'
may help discovering PHP files that would no longer be executed.
Shipping automatic protection for this scenario is not trivial,
but you could manually install protection based on this recipe:
# a) Apache 2.2 / Apache 2.4 + mod_access_compat
#Deny from all
# b) Apache 2.4 + mod_authz_core
#Require all denied
# c) Apache 2.x + mod_rewrite
#RewriteRule .* - [R=404,L]
* You may be using AddHandler or AddType in other places,
including off-package files. Please have a look.
* app-eselect/eselect-php is not the only package affected.
There is a dedicated tracker bug at .
As of the moment, affected packages include:
Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer.