Skip to main content

Apache AddHandler madness all over the place

Hi! A friend of mine ran into known (though not well -known) security issues with Apache's AddHandler directive. Basically, Apache configuration like

# Avoid!
AddHandler php5-fcgi .php

applies to a file called evilupload.php.png, too. Yes. Looking at the current Apache documentation, it should clearly say that AddHandler should not be used any more for security reasons. That's what I would expect. What I find as of 2015-02-15 looks different:

Maybe that's why AddHandler is still proposed all across the Internet:

And maybe that's why it made its way into app-admin/eselect-php (bug #538822) and a few more. Please join the fight. Time to get AddHandler off the Internet!