[thelist] PHP Perl Apache security

Keith cache at dowebscentral.com
Sun Jul 20 15:37:59 CDT 2003 

At 09:14 AM Sunday 7/20/2003, you wrote:

>should be aware of this. As a hosting provider, you might do well to make
>that clear, and use the opportunity to upsell them to dedicated (most hosts

Good point. Actually we are not the hosting company - we provide a server 
app for hosting companies and we are insisting on a secure environment. The 
host provider with 15,000 is the biggest, but overall we have over 50K 
domains to consider on god knows how many servers, with a half a dozen host 
providers - and counting. We were flabbergasted to find that 6 out of 9 
Apache hosting companies we've dealt with have the Perl/PHP vulnerability I 
described, and didn't know it. So far they all want to get hardened, so we 
are looking for the most painless way to do it - painless for the end-user 
and the hosts.

>true - but not prohibitively so. I use a certain undisclosed Vhost that uses
>this strategy, and while I have no idea what the hardware etc. is,
>performance is very good. and again, if you want great performance, you

Good point also. But we have no control over the hardware. The 15,000 
client host estimates they will need to move hundreds of domains off to new 
servers to guarantee the same per domain load that they now have if they 
switch from Apache module to CGI.

>     AddType  application/x-httpd-php .php
>     Action application/x-httpd-php /cgi-bin/php
>inside the <VirtualHost> section.

Ahhh... Yeah, I've seen that but I think I failed to connect the dots. I'll 
try it. Our biggest host is leaning toward the CGI method but that shebang 
line scares them because it requires the client to do something that many 
will balk at or botch. THANKS for pointing that out!!!

>the bonus advantage with this method: users can have their own php.ini 
>files -
>and their own version of php! Just complile php as CGI, point the
>configuration directive for the php.ini location to their working dir, put
>the binary in their cgi-bin... (well, ok, times 15,000...)

:-) right. I think we'll leave that call up to the hosting provider....

>So, I vote for this method. In fact, as a customer I prefer it too, as 
>long as
>the performance is ok. No more security problems, all files are owned by user

We'll see what the performance penalty is. PHP claims it's significant, but 
then they are more concerned with selling speed than security.

THANKS!!


Keith
====================
cache at dowebscentral.com

More information about the thelist mailing list