Apaches "File-Extension-Feature"

1 February 2017

Many years ago, someone mentioned on a congress that apache has an interesting feature: if apache doesn’t know a file-extension, it will just take the next one. If someone saves a file called “shell.php.ab”, apache would not know what to do with the extension “.ab”. So it will just skip this one and uses the next one and the file “evil.php.ab” becomes “evil.php” and gets executed. I wondered how long it will take until a related bug will occur and I was not surprised when I read aboutthis nasty bug.

[ Security  apache  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti