发表新帖
发表新帖

security message after upgrade to 9.5.17

前端 未结
关注
5 643
梦谈多话
梦谈多话 2021-02-02 00:23

after upgrading to 9.5.17 i get in the reports the following security messages:

Server Response on static files: 

www.mydomain.de/typo3temp/assets/43cd7
相关标签:
5条回答
  • -上瘾入骨i
    2021-02-02 00:37

    For shared hosting it can be quite hard to find out the correct handler for php.

    some specialty for 1&1 Ionos, might be even special to this particular shared hosting package:

    shared hosting with php 7.3 (confirmed in phpinfo), but $_SERVER['REDIRECT_HANDLER'] gives "x-mapp-php5" (not sure why, could be that the hosting is running for many years and was upgraded to php 7 and they somehow alias it for whatever reason)

    The working solution for me was:

    <IfModule mod_mime.c>
    RemoveType .html .htm
    <FilesMatch ".+\.html?$">
        AddType text/html .html
        AddType text/html .htm
    </FilesMatch>

    RemoveType .svg .svgz
    <FilesMatch ".+\.svgz?$">
        AddType image/svg+xml .svg
        AddType image/svg+xml .svgz
    </FilesMatch>

    RemoveHandler .php
    RemoveType .php
    <FilesMatch ".+\.php$">
        AddType x-mapp-php5 .php
        AddHandler x-mapp-php5 .php
    </FilesMatch>
</IfModule>

    I had to remove both the handler/type and add them again within the filesmatch. Took me quite a while to get this working, hope this helps.

    For host-europe $_SERVER['REDIRECT_HANDLER'] was empty, php7.4:

    <IfModule mod_mime.c>

    ....

    RemoveHandler .php
    RemoveType .php
    <FilesMatch ".+\.php$">
        # only this handler seems to work
        AddType application/x-httpd-php .php
        AddHandler application/x-httpd-php .php
    </FilesMatch>
</IfModule>
    0 讨论(0)
  • 被撕碎了的回忆
    2021-02-02 00:42

    Here is some Domainfactory speciality.

    Mind the ForceType directive (set your specific PHP version there). If not used, its webserver would still use mimetype-sniffing.

    To be used on the bottom of the newest .htaccess template (10.4, 9.5) which includes the strict handling for .svg[z]/.htm[l] already

    # DomainFactory-special:
# 1) remove mimetype-sniffing anything for PHP
# 2) force PHP 7.3 mimetype on .php files
<IfModule mod_mime.c>
    RemoveType .php
    <FilesMatch ".+\.php$">
        ForceType application/x-httpd-php73
    </FilesMatch>
</IfModule>
    0 讨论(0)
  • 别那么骄傲
    2021-02-02 00:50

    hi i have added it too

        RemoveType .html .htm
<FilesMatch ".+\.html?$">
    AddType text/html .html
    AddType text/html .htm
</FilesMatch>

RemoveType .svg .svgz
<FilesMatch ".+\.svgz?$">
    AddType image/svg+xml .svg
    AddType image/svg+xml .svgz
</FilesMatch>

RemoveHandler .php
<FilesMatch ".+\.php$">
    SetHandler php72-cgi
</FilesMatch>

    but still one of them are still remaining

    /typo3temp/assets/39b0efab.tmp/fd35fce3.php.wrong
unexpected content PHP content

    The handler was from phpinfo()

    0 讨论(0)
  • 醉话见心
    2021-02-02 00:53

    The error messages you are receiving are part of a security feature that has been integrated into recent TYPO3 v9.5.17 and v10.4.2 releases, see https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Feature-91354-IntegrateServerResponseSecurityChecks.html

    Basically it means that your current server system

    • is evaluating files like test.php.txt (.php not at the end of the filename) still as PHP content - this can cause a security vulnerability in case somebody manages to upload a similar file (which might be considered as text/plain file, but is actually executable PHP code)
      • potentially remote code execution
    • is serving files like test.html.wrong (.html not at the end of the filename) still as text/html which triggers the browser to execute HTML tags and potential dangerous <script> tags
      • potentially cross-site scripting

    Call for action

    In case this is a live and in production server, you should adjust your web server configuration.

    The fix is to limit those web server mime-type mapping only to those files having e.g. .html at the very end, like shown in this example for the Apache HTTP web server

    <FilesMatch ".+\.html?$">
    AddType text/html .html .htm
</FilesMatch>

    Find more details and explanation in the TYPO3 security guidelines for server admins at https://docs.typo3.org/m/typo3/reference-coreapi/10.4/en-us/Security/GuidelinesAdministrators/Index.html#file-extension-handling

    Update May 17th, 2020

    https://gist.github.com/ohader/11d737de95895f8ca16495a8b7001c45 contains examples how to adjust an .htaccess file in case settings cannot be changed on a (shared) hosting environment.

    <IfModule mod_mime.c>
    RemoveType .html .htm
    <FilesMatch ".+\.html?$">
        AddType text/html .html
        AddType text/html .htm
    </FilesMatch>

    RemoveType .svg .svgz
    <FilesMatch ".+\.svgz?$">
        AddType image/svg+xml .svg
        AddType image/svg+xml .svgz
    </FilesMatch>

    RemoveHandler .php
    <FilesMatch ".+\.php$">
        # IMPORTANT: `php-fcgid` is using in THIS example
        # Most probably is different for each individual configuration
        SetHandler php-fcgid
        # SetHandler php-script
        # SetHandler application/x-httpd-php
    </FilesMatch>
</IfModule>

    Current handler identifier php-fcgid was identified for the example above using a phpinfo(); and searching for $_SERVER[REDIRECT_HANDLER]:

    $_SERVER['REDIRECT_HANDLER'] php-fcgid
    0 讨论(0)
  • 野性不改
    2021-02-02 00:53

    The following solution was recommended to me by the support team of ALL-INKL.COM. I had to contact them, because the remove statements (RemoveHandler .php) did not work.

    <FilesMatch "\.(php[0-9,x]*|phtml)\.">
  SetHandler text/plain
</FilesMatch>

    Thanks to the ALL-INKL.COM-Support-Team

    0 讨论(0)
 看不清?
提交回复
热议问题