So what PHP security hole did that open up?
2008-04-11 / 01:56 / dave
To make playing around with Wordpress easier, I wanted to set-up a local test environment. Since Tim Altman has renewed my quest to get PHP authentication working on DreamHost, I need to run PHP via CGI.
Whew-ee.
The PHP Windows installer added some lines to httpd.conf:
ScriptAlias /php/ "c:/php/" Action application/x-httpd-php "/php/php-cgi.exe"
After installation I could only run .php files from cgi-bin/ and only by using #!. The PHP install.txt lead me to add
AddType application/x-httpd-php .php
Which didn’t help. Luckily Apache’s logs/error.log sensibly stated
...[error] [client 127.0.0.1] client denied by server configuration: C:/php/
So now I’ve got:
<Directory "C:/php/">
AllowOverride None
Options None
Order deny,allow
Allow from all
</Directory>
ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php
Action application/x-httpd-php "/php/php-cgi.exe"
Which works, but at the expense of allowing access to the C:/php directory. What kind of security holes does that open? I poked around in the browser and couldn’t access any of the files. Plus the Apache user also doesn’t have write access to the directory and I only start httpd right before testing. Still…
White hats: advice, please.
Black hats: mercy, please.
just trying to re-submit my comment about changing
ScriptAlias /php/ "c:/php/"
to
ScriptAlias /scripts/ "c:/php/"
in order to eliminate scans by bad guys for http://HOSTNAME/php trying to determine if php is installed.
Thanks for the tip and sorry for the comment glitch. I went ahead and modified my .conf.