Nobody cares about spelling, damnit! Any spelling post is a waste of a post, and of my time.
In other news, this is a known feature of Apache:
Not only is it a feature, it's documented:
<http://httpd.apache.org/docs/2.0/mod/mod_mime.html>
The docs note that the rightmost extension for a paricular category of meta data is used. The exeption is languages and encodings, where they accumulate instead.
Unknown extensions contribute nothing, and since they're unknown, it isn't known which category they aren't known for, so nothing happens with them.
So, anything dealing with Apache-served files must not look only at the file's suffix, but all positions.
To secure the user-upload area discussed earlier, you need to do one of:
- Sanitize to a known set of extensions and only allow known-valid groups of content, languate, and encoding extensions. (So .tar.gz is fine, but .php.gz is probably bad.)
- Disable PHP for the upload area (is this possible? I don't use PHP myself)
- Use ForceType to set a particular type. You've still got to worry about extension-based (instead of type-based) handlers and things link that.
- Put up the AddTypes for PHP types only in known-php directories. In this case, you would want your user upload area to be in a totally different place from your DocumentRoot so you don't get anything set on DocumentRoot leaking into the writable subdirectory. (That's a good idea in general, of course; any server directory with a different security policy from DocumentRoot should be somewhere other than under DocumentRoot.)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
It's still something that people should be aware of, but gg :-o