-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jan, This is more a configuration problem: all these modules (php, python or whatever) should be disabled where hypermail ouputs its files, as if someone sends a mail with a .php file as attachment (or for another module), it will be hosted as-is (file.php). What should be done is: disable PHP and other modules, you can do this with: php_admin_flag engine off or removehandler .php .phtml .php3 in the apache config. You should also add: AllowOverride None To disable the htaccess directives. Regards, Kevin
Jan Christoph Nordholz a écrit : > Hi Kevin, > >> For anybody who falls on this bug, PHP MUST BE disabled where hypermail >> outputs its files, or i guess someone can hack you by sending php files >> to the list and you will host those backdoors..! > > how is this going to work? The first line that hypermail writes contains > "<?xml", and if 'short_tags = On', the PHP interpreter will already die > here. > > If 'short_tags = Off', PHP will simply copy this line to its output and > continue. But as all special characters in the mail are escaped, how > could an attacker insert a string like '<?php' to execute code? > > > Regards, > > Jan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknEx+kACgkQwt4vS/saKMJMgACdG/fqPtCu7LeyATf+fmUTyfZS rSUAoI1kzn1xcvTL4Qc/yeP6tkMzhcCE =oN/Z -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
