Server Software and Configuration Services
Are you still running without PHP protection?
An interesting report as been posted recently about the inherent dangers of allowing code to run under the same username as the apache process, i.e. nobody. This happens if you run PHP as a module, or CGI scripts without SUExec protection:http://seclists.org/bugtraq/2007/Jun/0250.htmlOf course, this is not anything new and the dangers have been known about for a long time. However the paper explains just how vulnerable you really are if you don’t protect your apache configuration from code being run within the context of its own user.Note that this affects both apache v1 and v2.Avoiding this issue is relatively simple:1. Enable SUExec (which is the default on cPanel installs)2. Enable PHPsuexec (or SuPHP), and understand the limitations that imposesLeaving your server without protection is inviting hackers to exploit your whole server including all your clients data, through a simple hole in one PHP script on one account on your server.An interesting take on this report is also discussed by the creator of mod_security:http://www.modsecurity.org/blog/archives/2007/06/apache_process.html