> I have a Server Running Apache 1.3.14 and it has PHP4 running
> as a module. For our customers we require that they use .cgi
> for all of their scripts and so if a user wants to run a php4
> script on our server they use www.blah.com/myphpfile.cgi with
> of course the first line being #!/usr/local/bin/php4, then our
> server runs the php4 script as the user rather than running
> as the server username.
>
> I noticed a security whole if a customer stuck a .htaccess
> file in the Directory and then added the following, it would
> allow them to stick .php files in their home directory and have
> it run as the server and be parsed automatically. Is there a way
> to make it so that they can't do this and me not have to disable
> the AllowOverride FileInfo, cause right now I have to disable that
> feature cause of the security problem that it allowed to happen.
>
> Anyone have any idea of what I can do?
If you are running PHP only as a CGI, why is it built into the server?
Remove the PHP server module and people can't do that. Or alternatively,
disable it selectively in the directories you want to use the module
version by turning it off by default:
in your php.ini:
engine = Off
And in your httpd.conf in the appropriate VirtualHost or Directory blocks:
php_admin_flag engine On
-Rasmus
