ScotlandPHP
add a note add a note

User Contributed Notes 16 notes

up
9
pookey at pookey dot co dot uk
14 years ago
I have setup a guide to installing PHP with SuEXEC in such a way that shebangs (!#/usr/bin/php4) are not needed.  Hope this is of some help to you.

http://www.pookey.co.uk/php-security.xml
up
7
Anonymous
5 years ago
IMPORTANT INFORMATION

There was a serious vulnerability in certain CGI-based PHP setups that has gone unnoticed for at least 8 years.

For PHP this means that a request containing ?-s may dump the PHP source code for the page.

Make sure to update to current versions and/or use an .htaccess patch, both available here:

PHP 5.3.12 and PHP 5.4.2 Released:
http://www.php.net/archive/2012.php#id2012-05-03-1
up
6
martelli at geoserve dot com dot br
13 years ago
PHP CGI with VirtualHosts.

This is what I found out while trying to get php to work as CGI with Apache VirtualHosts.

By enabling 'force-cgiredirects', you *must*:
1) set 'cgi.fix_pathinfo=1' in php.ini
2) leave doc_root commented out (php.ini also)

If you miss item 1, the apache logs will show 'unexpected T_STRING' in the php binary.
If you miss item 2, you'll only see 'No input file specified.', instead of the expected output.

You can then turn on the php support for a particular vhost by defining:

Action php-script /cgi-bin/php

inside the corresponding <VirtualHost> directive.
up
6
steeven at kali dot com dot cn
16 years ago
suEXEC require CGI mode, and slow down the scripts. I did them like this:
1. Install php as DSO mode. (for max speed and low secure)
2. Make a seperate CGI install with --enable-force-cgi-redirect, place php to cgi-bin
3 For more secure with suEXEC, choose one of the following method:
3-1: Place a .htaccess file containing this to override main config:
AddType application/x-httpd-wphp php
Action application/x-httpd-wphp /cgi-bin/php
  All php files in subdirectory will be protected.
3-2: add following in httpd.conf:
AddType application/x-httpd-wphp sphp
Action application/x-httpd-wphp /cgi-bin/php
  then each sensitive php file should be renamed to .sphp

Add "php_value doc_root /home/user/html_docs" to each virtual host directive in httpd.conf
up
5
kstone at trivergent dot net
17 years ago
Better yet, use binfmt_misc:  (linux only)

echo :php3:E::php3::/usr/bin/php: > /proc/sys/fs/binfmt_misc/register

Eliminates the need for the #! at the top of the file.
up
5
michel dot jansens at ulb dot ac dot be
16 years ago
If you want to use suexec and reference your php interpreter via #!/usr/local/bin/php,  be shure to compile php WITHOUT  --enable-force-cgi-redirect.

This might seems obvious, but I spent 2 days on this :-(
up
3
ruben at puettmann dot net
15 years ago
To use php-cgi with suexec it will be nice that each virtual host has ist's own php.ini. This goes with :

SetEnv PHPRC /var/www/server/www.test.com/conf

But suexec will kill this enviromet cause It don't know that it is "save" so you must edit the suexec.c for compiling ....
up
2
yohgaki at hotmail dot com
16 years ago
If you care about security, you are better of setting

register_globals = off
enable_track_vars = on (Always on from PHP4.0.3)

Default setting for variable order is
EGPCS
(ENV VARS/GET VARS/POST VARS/COOKIE VARS/SESSION VARS)

Imagine if you are rely on ENV VAR but it was orver written with GET/POST/COOKIE vars?
up
-1
phil dot ross at gmail dot com
12 years ago
In response to grange at club-internet dot fr:

There are a couple of errors in the mod_rewrite directives given. I found that the following works:

RewriteEngine on
RewriteCond %{ENV:REDIRECT_STATUS} !200
RewriteRule ^cgi-bin/php.cgi - [F]

I removed the = from the RewriteCond and took out the leading / from the RewriteRule.
up
-1
goran_johansson at yahoo dot com
14 years ago
A tip for Windows-users

Just a tip for you so do not do the same mistake as I did:
I just found out that PHP first seem to look in the php-directory for php.ini, and if that file does not exist, it looks in the Windows directory.
I renamed the file php.ini-dist to php.ini and copied it to my Windows directory, and then I modified the infamous "cgi.force_redirect = 0" in the php.ini file located in the Windows directory, to make it work. But it did not because it reads from the "original" php.ini - So when I deleted this php.ini things startedhe WiRectorgeinp.ini things startedhe WiRectorgeinp.ini things startedhe WiRectorgeinp.ini things starRiRectorgeinp.ini things st41 up
-1
y st41 dhansson at yahoo dot com
14 years ago
up
9
549 div> y 549 dhansson at yahoo dot com
eekylass="ekylf="#d380"> ¶
14 years ago
9 07:"> I"text" id="Hcom30546">
n/security.sessi (llow ReporRrec' ref='/ma did noe php bp
6
990 div> r 990 dt trivergent dot net
12 years ago
2-d1"07:23s="text" id="Hcom51182">
e>
he PHg th .ut.RAMRiP ss chea />2.borlchI dnyng foso>it_value uexebs gimaj/difa reaectorgualHosts.
up
6
19 div> r 19 dt trivergent /a>
13 years ago
6-13 08:2ss="text" id="Hcom43998">
stangrenancrect group-ni > stangregroup
57 up
3
57 div> s 57 dot jansens at ulb dot ac dot be
15 years ago
add a note add a note

User Contributed Notes v cla/divhe co>e"> ivhe co>"htt div class="cha curi i

    ">
    al.pi /> i
oth ava
i etnodiv>