Bug 280077 - www/apache24 2.4.60 mod_dir does not appear to work
Summary: www/apache24 2.4.60 mod_dir does not appear to work
Status: Closed Not A Bug
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-apache (Nobody)
Depends on:
Reported: 2024-07-01 18:27 UTC by Weldon Godfrey
Modified: 2024-07-04 16:50 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (apache)


Note You need to log in before you can comment on or make changes to this bug.
Description Weldon Godfrey 2024-07-01 18:27:36 UTC
I tried updating twice to 2.4.60 with portmaster from 2.4.59 and had to revert back to snapshot.   After upgrading to 2.4.60, none of the directory pages work (index.php, index.html, etc.)  Apache just sends the directory page as a download.   However, going to htts://site.com/index.php directly works fine.

I am happy to assist to debug.  I searched for errors in all error logs with no hint what is broken.
Comment 1 nihilesthic 2024-07-02 06:05:36 UTC
From the changelog ( https://downloads.apache.org/httpd/CHANGES_2.4.60 ):

SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org)
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
are vulnerably to information disclosure, SSRF or local script
execution via backend applications whose response headers are
malicious or exploitable.

Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'SetHandler' after this fix.

This is a possible reason.
Comment 2 Weldon Godfrey 2024-07-02 10:54:21 UTC
I dont think that is the issue since the page (such as index.html) loads okay if you load http://site.com/index.html but downloads the file if you just use http://site.com
Comment 3 Weldon Godfrey 2024-07-02 11:16:05 UTC
Sorry, my error.   The site I was testing I thought had an index.html but the site owner had hacked/converted the index.html to index.php and the .html file still existed.

The issue was I add the old way of AddType for php.  I commented the line out and replaced it with:
<FilesMatch \.php$>
    SetHandler application/x-httpd-php

That still worked and then upgraded to Apache 2.4.60 and it still worked after that.

Thank you for getting me in the right direction nihilesthic@proton.me !

Comment 4 Fabian Wenk 2024-07-04 16:50:43 UTC
Update to 2.4.61 will fix this issue, see bug #280130.