ScriptAlias /php5/ /dir/php5/ AddType application/x-httpd-php5 .php5 Action application/x-httpd-php5 "/php5/php.exe" Wouldn't that work without shebang line? Or would it not solve the problem/add some other problem? // DvDmanDT MSN: dvdmandt¤hotmail.com Mail: dvdmandt¤telia.com ----- Original Message ----- From: "Stuart Low" <stuart@xxxxxxxxxxxxxx> To: <users@xxxxxxxxxxxxxxxx> Sent: Monday, May 09, 2005 4:37 AM Subject: RE: [users@httpd] Hacked the website replace the index.hm page > Heya, > > PHP as a CGI also requires users (read, typically, morons) to add a > shebang line to their scripts. What we do is put in an open_basedir for > all vhosts at a bare minimum. Another favourite is the mod_suexec module > additions for mod_php (I forget the exact name). > > Another countermeasure is mod_security which can block phpBB exploit > attempts (and other common ones). > > Stuart > > On Sun, 2005-05-08 at 19:13 -0700, Eric Frazier wrote: > > Hi, > > > > Does no one use cgi wrap anymore? I thought that the best way to handle > > this kind of thing is to run PHP as a CGI first off, and then use something > > like wrap to isolate users. Yes, lesser performance, but people running on > > shared servers get what they pay for, and it certainly makes sense to take > > their security first and performance second. > > > > Eric > > > > At 06:55 PM 5/8/2005, Gary W. Smith wrote: > > >Here is the explanation as you have already presented it: > > > > > >All users sites are owned by httpd > > >There are multiple user sites, we'll say a-z. > > >Site a is running PHPbb with a version known to be buggy. > > >Someone issues a hack against site a. The hack says modify site b-z. > > >Apache says, why not, I own the files so I can. > > >User from site j complains because site is hacked. > > > > > >The rule of thumb is that apache can edit any file it has read/write > > >access to. > > > > > >What we have done in the past to prevent this. > > > > > >We have multiple sites running on single boxes and ensure that this > > >doesn't happen by having the files owned by the user with read-only > > >access to apache (r/w is assigned by the users at their own risk, > > >usually only to directories they need to upload to). > > > > > >If you users fail to update their versions of phpbb there isn't much you > > >can but it you are also not responsible for their failure to do so. > > > > > >We also turn on open base dir per virtual instance (all on one line). > > >php_admin_value open_basedir "/tmp: > > >/home/whateveruser/html: > > >/usr/local/horde: > > >/usr/local/lib" > > > > > >This might help, but it won't hurt! > > > > > > > ----- Original Message ----- > > > > From: "Mathew Thomas" <mathew.thomas@xxxxxxxxxxx> > > > > To: <users@xxxxxxxxxxxxxxxx> > > > > Sent: Sunday, May 08, 2005 8:23 PM > > > > Subject: Re: [users@httpd] Hacked the website replace the index.hm > > >page > > > > > > > > > > > > Hi Tim, > > > > > > > > Could you please explain it bit more. There is no connection between > > >the > > > > hacked website and phpBB website.( both are different virtual host). > > >We > > > > are > > > > using php version 4.3.9. Do you mean upgrade php? > > > > > > > > Thanks > > > > Mathew > > > > > > > > > > > > > >--------------------------------------------------------------------- > > >The official User-To-User support forum of the Apache HTTP Server Project. > > >See <URL:http://httpd.apache.org/userslist.html> for more info. > > >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|