PHP5 as a CGI

Re: PHP5 as a CGI

Jupiter's Song wrote:[color=blue]
> (In Apache2)
>
> I have this setup and using the new CGI daemon interface... no probs.
> However the binary is accessible via the browser. I suppose I wouldn't even
> make this an issue but I get this when accessing the binary:
> Warning: Unexpected character in input: '' (ASCII=16) state=1 in
> /usr/local/bin/php on line 4777
> Parse error: parse error, unexpected T_STRING in /usr/local/bin/php on line
> 4777
>
> So I'm wondering if there is a more secure way to install the binary? or
> perhaps I'm doing something wrong. Here is my relevant apache config
> directives:
> ScriptAlias /php/ /usr/daemon/httpd/php/
> AddType application/x-httpd-php .php .phtml
> AddType application/x-httpd-php-source .phps
>
> Action application/x-httpd-php "/php/php"
>
>
> I compiled the cgi binary "without_redire ct", ""without_disca rd",
> "without_fastcg i", "without_pathin fo".
>
>[/color]

I've had bad experiences with running PHP5 as a CGI app on Apache2. I
don't recommend it. Additionally, I've been told that there are major
security concerns about this. Check out
http://www.php.net/manual/en/security.cgi-bin.php Supposedly, they have
also been documented at www.phrack.org

I recommend installing it as a module.


I remember that it took me a while to get it working properly (I'm not
yet an Apache guru) but I don't remember what my problem(s) were either.

Good luck!

--TekWiz

Re: PHP5 as a CGI

"TekWiz" <tekwiz@twarlic k.net> wrote in message
news:d1klnd$q1f $1@aunews.duc.a uburn.edu...[color=blue]
> Jupiter's Song wrote:[color=green]
>> (In Apache2)
>>
>> I have this setup and using the new CGI daemon interface... no probs.
>> However the binary is accessible via the browser. I suppose I wouldn't
>> even make this an issue but I get this when accessing the binary:
>> Warning: Unexpected character in input: '' (ASCII=16) state=1 in
>> /usr/local/bin/php on line 4777
>> Parse error: parse error, unexpected T_STRING in /usr/local/bin/php on
>> line 4777
>>
>> So I'm wondering if there is a more secure way to install the binary? or
>> perhaps I'm doing something wrong. Here is my relevant apache config
>> directives:
>> ScriptAlias /php/ /usr/daemon/httpd/php/
>> AddType application/x-httpd-php .php .phtml
>> AddType application/x-httpd-php-source .phps
>>
>> Action application/x-httpd-php "/php/php"
>>
>>
>> I compiled the cgi binary "without_redire ct", ""without_disca rd",
>> "without_fastcg i", "without_pathin fo".
>>
>>[/color]
>
> I've had bad experiences with running PHP5 as a CGI app on Apache2. I
> don't recommend it. Additionally, I've been told that there are major
> security concerns about this. Check out
> http://www.php.net/manual/en/security.cgi-bin.php Supposedly, they have
> also been documented at www.phrack.org
>
> I recommend installing it as a module.
> http://www.php.net/manual/en/install.unix.apache2.php
>
> I remember that it took me a while to get it working properly (I'm not yet
> an Apache guru) but I don't remember what my problem(s) were either.
>
> Good luck!
>
> --TekWiz[/color]


Well my install was working great; 'cept for the binary being accessible via
the browser and outputting a nasty php error (I think it's because I
compiled it without the "force redirect" option.)

Also I am not aware of any current exploits (excluding poor server side
programming which is a problem for any of the installs).

ty