On Wed, Jan 04, 2006 at 11:18:25PM +0100, Joachim Schipper wrote: > On Wed, Jan 04, 2006 at 05:20:18PM +0000, Craig Skinner wrote: > > On Wed, Jan 04, 2006 at 05:28:38PM +0100, Joachim Schipper wrote: > > > There was a phpBB2 in one of the paths used. If you have phpBB enabled > > > somewhere, that's a likely attack vector. > > > The ISP that I work for scans for it and support follow a prodecure to > > warn the customer that it has been disabled. (chmod) > > > > An easy way is to change: > > > > AddType application/x-httpd-php .php > > > > to: > > > > AddType application/x-httpd-php .phtml > > > > Most php packages come with .php files, and people that use them ususlly > > don't have the nouse to alter all the files and links thoughout the > > package. > > Sneaky, effective, and yet allows people with a little knowledge or > perseverance to work unhindered. I like it. ;-) > > The downside is people expecting support, of course. >
What I would do in this case is: *) add the .phtml *) notify customers of the impending change (outline it a process/security improvement) *) give them 2 months, remind often *) drop the .php extension for a few days so that they can test *) reinstate the .php extension for a fortnight so the stragglers can catch up *) remove the .php extension, and back support staff to the hilt when 5% complain Craig.
