I have a Server Running Apache 1.3.14 and it has PHP4 running
as a module. For our customers we require that they use .cgi
for all of their scripts and so if a user wants to run a php4
script on our server they use www.blah.com/myphpfile.cgi with
of course the first line being #!/usr/local/bin/php4, then our
server runs the php4 script as the user rather than running
as the server username.
I noticed a security whole if a customer stuck a .htaccess
file in the Directory and then added the following, it would
allow them to stick .php files in their home directory and have
it run as the server and be parsed automatically. Is there a way
to make it so that they can't do this and me not have to disable
the AllowOverride FileInfo, cause right now I have to disable that
feature cause of the security problem that it allowed to happen.
Anyone have any idea of what I can do?
/'^'\
( o o )
------------------------------------------oOOO--(_)--OOOo----
Devin Atencio
ArosNet Systems Administration .oooO
EMail: [EMAIL PROTECTED] ( ) Oooo.
--------------------------------------------\ (----( )-----
\_) ) /
(_/
