Explore our sites

Stack Exchange
tour help
Take the tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote 6 down vote favorite

I am working on a very old and messy site, which doesn't have a CMS, or a database. However, it has a lot of .htm and .php files. I need to add some PHP code to some of the .htm files, but want to leave the URL as is.

Long story short, is there any problem, or security concern, when enabling PHP script execution for .htm files globally, via Apache's .htaccess?

What could go wrong? Specifically, I am talking about this configuration change in my Apache web server:

AddType application/x-httpd-php .html .htm
share|improve this question
add comment

1 Answer

up vote 7 down vote accepted

Generally, configuring PHP to execute all files (as your title says) is a bad idea, especially if your website has an upload functionality. Someone could simply upload a PHP file with the extension .jpg then execute it on your server, and your server is gone.

However, in your case, if users can't upload .html or .htm files (or .php, of course) then there's almost no added security risk.

share|improve this answer
 
thx. users cant upload anything on this site. Its just for looking. What do you mean with "almost" no risk though? –  user1721135 Jun 4 at 20:02
 
@user1721135 It's just a way to say two things: A- I'm not a SuperDuper security expert, so there might be some risk, but AFAIK, there isn't any. B- There's nothing 100% secure (I'm sure you already know that) –  Adnan Jun 4 at 20:13
 
I can confirm that I have worked with html and htm files being passed to the PHP parser before. As long as an attacker can't upload a file with that extension, then there is no more risk than having PHP files processed by PHP. I believe PHP is actually designed to handle this too as I'm pretty sure that if you process an HTML file with PHP it comes out as HTML but will allow processing of any in-line PHP tags. –  AJ Henderson Jun 4 at 20:43
1  
I think you're mostly looking at a performance penalty since you'll be parsing every HTML file instead of just shooting it out to each visitor. Size of penalty may be small. –  BrianAdkins Jun 4 at 22:29
 
@Adnan: incorrect... There is extra overhead in even looking for the php tags. Every single HTML file will be parsed by PHP to determine whether or not the file contains any php tags. There most certainly will be increased overhead... But the penalty may be very small.....programmers.stackexchange.com/questions/137869/… –  BrianAdkins Jun 5 at 11:22
show 1 more comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.