| Summary: | www/apache24 2.4.60 mod_dir does not appear to work | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Weldon Godfrey <weldon> |
| Component: | Individual Port(s) | Assignee: | freebsd-apache (Nobody) <apache> |
| Status: | Closed Not A Bug | ||
| Severity: | Affects Only Me | CC: | fabian, nihilesthic |
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(apache) |
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Weldon Godfrey
2024-07-01 18:27:36 UTC
From the changelog ( https://downloads.apache.org/httpd/CHANGES_2.4.60 ): SECURITY: CVE-2024-38476: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (cve.mitre.org) Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Note: Some legacy uses of the 'AddType' directive to connect a request to a handler must be ported to 'SetHandler' after this fix. This is a possible reason. I dont think that is the issue since the page (such as index.html) loads okay if you load http://site.com/index.html but downloads the file if you just use http://site.com Sorry, my error. The site I was testing I thought had an index.html but the site owner had hacked/converted the index.html to index.php and the .html file still existed.
The issue was I add the old way of AddType for php. I commented the line out and replaced it with:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
That still worked and then upgraded to Apache 2.4.60 and it still worked after that.
Thank you for getting me in the right direction nihilesthic@proton.me !
Weldon
Update to 2.4.61 will fix this issue, see bug #280130. |