htm Extension

Bruce A. Julseth wrote:

Can I configure Apache to recognize PHP Code in a page with an .htm
extension? If so, how do I do it?

Thanks.

Bruce

..htaccess file (in the directory where you want to enable it) should
contain the following:

AddType application/x-httpd-php .htm

No need to do it for the sub-directories, it's recursive.

--
Justin Koivisto - ju****@koivi.com
http://koivi.com

Be careful when you make a change like that. When you suddenly make
non-executable files executable, you could introduce very serious
vulnerabilities.

For example, say you have log analyser that produces .htm files. In the
reports, the names of the browsers are listed. If the analyser doesn't
properly escape the user-agent field, then an attacker can inject PHP
code into your site.

I agree with Chung, this is a rather non-standard and risky kind of
change to make. Be sure to review your alternatives before choosing
this action.

~D

Could you elaborate on that? How would a person be able to inject code
because
of an improperly escaped field?

And why would this be a risk with a PHP generated .htm file and not a
static .htm
file with similar escaped field?

Or for that matter, would a .php file be immune from this exploit?

> Could you elaborate on that? How would a person be able to inject code

because
of an improperly escaped field?

And why would this be a risk with a PHP generated .htm file and not a
static .htm
file with similar escaped field?

Or for that matter, would a .php file be immune from this exploit?

These vunrubilities do exist however it is a little different because
you are adding a scripting language to a filetype that is not ment to
have a scripted language and is not default behavior.

However, most clients should always make sure to escape a field but here
is the problem.

Someone sends there user agent as: <?php echo('hi); ?> (would most
likely be worse) and then all of a sudden for your useragent in a log
writer could show that. Now when that is parsed through php, obviously
you are going to get "hi".

Now when the useragent is used in php you can not execute anything
because you are either parsing the value from the database or just using
the $_SERVER variable to retrieve the string. Now I say string because
all PHP things of it is that it is a string.

I hope that helps and clarifies things a bit.

Mike

"Bruce A. Julseth" <br***********@attglobal.net> wrote in message
news:42********@news1.prserv.net...

Can I configure Apache to recognize PHP Code in a page with an .htm
extension? If so, how do I do it?

Thanks.

Bruce

Thanks for the help.. I guess I'll remain using PHP as my extension.

Thanks again..