Re: [PHP] Apache/PHP4 Question

2001-06-19 Thread Rasmus Lerdorf 

 I have a Server Running Apache 1.3.14 and it has PHP4 running
 as a module. For our customers we require that they use .cgi
 for all of their scripts and so if a user wants to run a php4
 script on our server they use www.blah.com/myphpfile.cgi with
 of course the first line being #!/usr/local/bin/php4, then our
 server runs the php4 script as the user rather than running
 as the server username.

 I noticed a security whole if a customer stuck a .htaccess
 file in the Directory and then added the following, it would
 allow them to stick .php files in their home directory and have
 it run as the server and be parsed automatically. Is there a way
 to make it so that they can't do this and me not have to disable
 the AllowOverride FileInfo, cause right now I have to disable that
 feature cause of the security problem that it allowed to happen.

 Anyone have any idea of what I can do?

If you are running PHP only as a CGI, why is it built into the server?
Remove the PHP server module and people can't do that.  Or alternatively,
disable it selectively in the directories you want to use the module
version by turning it off by default:

in your php.ini:

engine = Off

And in your httpd.conf in the appropriate VirtualHost or Directory blocks:

php_admin_flag engine On

-Rasmus

Re: [PHP] Apache/PHP4 Question

2001-06-19 Thread tony . mccrory 


Sounds like you could remove the mime type for php in httpd.conf :

AddType application/x-httpd-php .php

Tony
--
Tony McCrory
IT, Trinity Mirror group (Ireland)
(028) 9068 0168
[EMAIL PROTECTED]















   

Devin 

Atencio To: [EMAIL PROTECTED]   

dreamboy@arocc:   

s.net   Subject: [PHP] Apache/PHP4 Question   

   

06/14/2001 

04:45 PM   

   

   






I have a Server Running Apache 1.3.14 and it has PHP4 running
as a module. For our customers we require that they use .cgi
for all of their scripts and so if a user wants to run a php4
script on our server they use www.blah.com/myphpfile.cgi with
of course the first line being #!/usr/local/bin/php4, then our
server runs the php4 script as the user rather than running
as the server username.

I noticed a security whole if a customer stuck a .htaccess
file in the Directory and then added the following, it would
allow them to stick .php files in their home directory and have
it run as the server and be parsed automatically. Is there a way
to make it so that they can't do this and me not have to disable
the AllowOverride FileInfo, cause right now I have to disable that
feature cause of the security problem that it allowed to happen.

Anyone have any idea of what I can do?

   /'^'\
  ( o o )
--oOOO--(_)--OOOo
Devin Atencio
ArosNet Systems Administration .oooO
EMail: [EMAIL PROTECTED]   (   )   Oooo.
\ ((   )-
 \_)) /
   (_/



IMPORTANT NOTICE  The information in this e-mail is confidential and should
only be read by those persons to whom it is addressed and is not intended
to be relied upon by any person without subsequent written confirmation of
its contents.  Furthermore, the content of this e-mail is the personal view
of the sender and does not represent the advice, views or opinion of our
company.  Accordingly, our company disclaim all responsibility and accept
no liability (including in negligence) for the consequences of any person
acting, or refraining from acting, on such information prior to the receipt
by those persons of subsequent written confirmation.  In particular (but
not by way of limitation) our company disclaims all responsibility and
accepts no liability for any e-mails which are defamatory, offensive,
racist or in any other way are in breach of any third party's rights,
including breach of confidence, privacy or other rights.  If you have
received this e-mail message in error, please notify me immediately by
telephone.  Please also destroy and delete the message from your computer.
Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and/or publication of this e-mail message is strictly
prohibited.  Trinity Mirror plc is the holding company for the Trinity
Mirror group of companies and is registered in England No. 82548, with its
address at Kingsfield Court, Chester Business Park, Chester CH4 9RE.

[PHP] Apache/PHP4 Question

2001-06-18 Thread Devin Atencio 


I have a Server Running Apache 1.3.14 and it has PHP4 running
as a module. For our customers we require that they use .cgi
for all of their scripts and so if a user wants to run a php4
script on our server they use www.blah.com/myphpfile.cgi with
of course the first line being #!/usr/local/bin/php4, then our
server runs the php4 script as the user rather than running
as the server username. 

I noticed a security whole if a customer stuck a .htaccess
file in the Directory and then added the following, it would
allow them to stick .php files in their home directory and have
it run as the server and be parsed automatically. Is there a way
to make it so that they can't do this and me not have to disable
the AllowOverride FileInfo, cause right now I have to disable that
feature cause of the security problem that it allowed to happen.

Anyone have any idea of what I can do?

   /'^'\
  ( o o )
--oOOO--(_)--OOOo
Devin Atencio
ArosNet Systems Administration .oooO
EMail: [EMAIL PROTECTED]   (   )   Oooo.
\ ((   )-
 \_)) /
   (_/