Heya,
PHP as a CGI also requires users (read, typically, morons) to add a shebang line to their scripts.
Seems like a small, but ongoing price to pay. I guess the same question over and over could drive you nuts after a while. But then again, it seems like you could give them the a so called PHP safe dir. Call it something like that anyway and that could avoid a few questions. But that raises another question, I never have been able to find the equipment of Execcgi for PHP. It just seems like it is not done. I found one example of a guy who did this with a list of handler statements in an .htaccess file. A horrible idea. A web designer tried to make some additions to the .htaccess file, pooched it and brought down the whole website as a result :)
What we do is put in an open_basedir for all vhosts at a bare minimum. Another favourite is the mod_suexec module additions for mod_php (I forget the exact name).
Another countermeasure is mod_security which can block phpBB exploit attempts (and other common ones).
Stuart
I would not tend to think very much of open_basedir by itself, but the other options you mention sound like they are worthwhile. Thanks for the info, I was curious and you filled in some blanks.
Eric
On Sun, 2005-05-08 at 19:13 -0700, Eric Frazier wrote:
> Hi,
>
> Does no one use cgi wrap anymore? I thought that the best way to handle
> this kind of thing is to run PHP as a CGI first off, and then use something
> like wrap to isolate users. Yes, lesser performance, but people running on
> shared servers get what they pay for, and it certainly makes sense to take
> their security first and performance second.
>
> Eric
>
> At 06:55 PM 5/8/2005, Gary W. Smith wrote:
> >Here is the explanation as you have already presented it:
> >
> >All users sites are owned by httpd
> >There are multiple user sites, we'll say a-z.
> >Site a is running PHPbb with a version known to be buggy.
> >Someone issues a hack against site a. The hack says modify site b-z.
> >Apache says, why not, I own the files so I can.
> >User from site j complains because site is hacked.
> >
> >The rule of thumb is that apache can edit any file it has read/write
> >access to.
> >
> >What we have done in the past to prevent this.
> >
> >We have multiple sites running on single boxes and ensure that this
> >doesn't happen by having the files owned by the user with read-only
> >access to apache (r/w is assigned by the users at their own risk,
> >usually only to directories they need to upload to).
> >
> >If you users fail to update their versions of phpbb there isn't much you
> >can but it you are also not responsible for their failure to do so.
> >
> >We also turn on open base dir per virtual instance (all on one line).
> >php_admin_value open_basedir "/tmp:
> >/home/whateveruser/html:
> >/usr/local/horde:
> >/usr/local/lib"
> >
> >This might help, but it won't hurt!
> >
> > > ----- Original Message -----
> > > From: "Mathew Thomas" <[EMAIL PROTECTED]>
> > > To: <users@httpd.apache.org>
> > > Sent: Sunday, May 08, 2005 8:23 PM
> > > Subject: Re: [EMAIL PROTECTED] Hacked the website replace the index.hm
> >page
> > >
> > >
> > > Hi Tim,
> > >
> > > Could you please explain it bit more. There is no connection between
> >the
> > > hacked website and phpBB website.( both are different virtual host).
> >We
> > > are
> > > using php version 4.3.9. Do you mean upgrade php?
> > >
> > > Thanks
> > > Mathew
> > >
> > >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> > " from the digest: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> " from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
