Welcome,
Guest
.
Please
login
or
register
.
Did you miss your
activation email
?
News:
EDC:
Download extensions for Elxis CMS
.
Home
Help
Login
Register
Elxis CMS Forum
»
Support
»
Security
»
PHP as a CGI application [SOLVED]
« previous
next »
Print
Pages: [
1
]
Author
Topic: PHP as a CGI application [SOLVED] (Read 15668 times)
empusa
Newbie
Posts: 8
PHP as a CGI application [SOLVED]
«
on:
October 19, 2008, 02:35:47 »
I've suffered several hacking attempts on my websites recently. My websites are on a shared server. I was daft enough to leave some directories open (chmod 777). The web sites were OK for a couple of years, but then became the target of a phishing gang. I have now locked the sites down but Apache needs access to some directories in order to run Elxis and other applications properly.
My hosting company have offered to move my sites to one of their newer servers. On these servers PHP runs as a CGI application, therefore all files belong to the user not httpd and there is no need to chmod 777. This would solve the security problem that I have been suffering from.
Can anyone tell me if there are any security issues with running PHP as a CGI application? Is it a good idea or not?
Pete
«
Last Edit: October 19, 2008, 15:33:11 by empusa
»
Logged
Farhad Sakhaei
Elxis Community
Hero Member
Posts: 1190
I know nothing , Should know more & more
Re: PHP as a CGI application
«
Reply #1 on:
October 19, 2008, 10:56:57 »
This is suPHP , It is good for more security , Although you lose some features like some directions in .htaccess and ...
You can also put php.ini in your folders to overwrite the php configuration...
suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.
PS: Another solution is using FTP and enabling it by Elxis
«
Last Edit: October 19, 2008, 10:58:41 by Farhad Sakhaei
»
Logged
DediData Web Hosting Services
Ivan Trebješanin
Elxis Team
Hero Member
Posts: 1663
Re: PHP as a CGI application
«
Reply #2 on:
October 19, 2008, 12:58:47 »
You can also ask your hosting admin to install suhosin extension for PHP, it is very good.
http://www.hardened-php.net/suhosin/
However, server setup is very large topic, and we cannot cover everything here. There are a lot of specialized forums about servers and hosting out there.
Logged
I've got a snap in my finger...
Got rhythm in my walk...
datahell
Elxis Team
Hero Member
Posts: 10356
Re: PHP as a CGI application
«
Reply #3 on:
October 19, 2008, 13:17:16 »
I personally do not recommend running PHP under cgi mode.
It is slower but more secure as when it runs as an Apache module.
See what
Ivan
proposed you about the
suhosin
patch, it is very good solution. They also have pre-compiled PHP binaries with suhosin built-in.
"This server is protected with the Suhosin Patch 0.9.6.2
Copyright (c) 2006 Hardened-PHP Project"
I have never enabled safe_mode or open_basedir and never got hacked. If you set up php carefully and you follow basic security rules on your php applications you have nothing to worry about.
«
Last Edit: October 19, 2008, 13:25:14 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
empusa
Newbie
Posts: 8
Re: PHP as a CGI application [SOLVED]
«
Reply #4 on:
October 19, 2008, 15:32:42 »
Many thanks for the replies.
I will have another chat with my hosting company to see if they will install suhosin. If not, I will transfer the sites to one of their newer servers with suPHP.
The hacks that I suffered were not the fault of Elxis. I believe that a hacker had purchased a hosting account on the same server as me and used a PHP script to look for writable directories and in other accounts on the same server. The hosting company are denying this, but its the only way it could have been done.
Logged
Ivan Trebješanin
Elxis Team
Hero Member
Posts: 1663
Re: PHP as a CGI application [SOLVED]
«
Reply #5 on:
October 19, 2008, 16:13:47 »
Back in the days I used shared hosting, I had a exactly the same problem as you.
But, if you use suPHP, there some other things that need to be set up too, because suPHP can create generate a lot of problems if not set up properly. Again, server setup is far too large topic for this forum. Also I agree with datahell, running PHP as CGI is NOT a good solution at all.
Logged
I've got a snap in my finger...
Got rhythm in my walk...
Farhad Sakhaei
Elxis Community
Hero Member
Posts: 1190
I know nothing , Should know more & more
Re: PHP as a CGI application [SOLVED]
«
Reply #6 on:
October 19, 2008, 16:17:59 »
I don't know , Why Cpanel recomment to use Suphp and also Safe mode enable?
Logged
DediData Web Hosting Services
datahell
Elxis Team
Hero Member
Posts: 10356
Re: PHP as a CGI application [SOLVED]
«
Reply #7 on:
October 19, 2008, 17:34:27 »
Safe mode is a very strict security meter and it is very easy to enable. You just set safe_mode=on and finish. That is why they recommend it.
Cpanel's target group is mostly customers not so well experienced with linux and ssh environment, so just setting on safe_mode is a very easy solution to fight against hackers. But it is not the best... Safe_mode will be discontinued in PHP 6. Why? Do you think that the PHP developers got mad? I have not tested suPHP, but I like such solutions (as the suhosin patch). I prefer them than enabling safe_mode.
..and always remember, that absolutely security does not exist even if you enable all security patches and options. Sad, but true.
«
Last Edit: October 19, 2008, 17:36:00 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
ahmet
Sr. Member
Posts: 283
360 HDR Virtual Tours | Windsurfing Sailing
Re: PHP as a CGI application [SOLVED]
«
Reply #8 on:
April 05, 2011, 01:12:20 »
why we dont all agree and keep keep all elxis sites under one server.. we pay additionaly to the member of team who is responsible for security..
we pay less....and have great security..
by the way i would like to see in nautius is high slide plugin ..can both play images, videos, external htmls..
Logged
www.puretourism.co.uk
www.globalpanorama.net
www.bodrumwindsurf.com
Print
Pages: [
1
]
« previous
next »
Elxis CMS Forum
»
Support
»
Security
»
PHP as a CGI application [SOLVED]