Apache - suExec - FastCGI - PHP = seciruty issue

Posted by Jari V. on Server Fault See other posts from Server Fault or by Jari V.
Published on 2012-08-27T22:14:28Z Indexed on 2012/08/29 15:40 UTC
Read the original article Hit count: 265

Filed under:

apache2

|

fastcgi

|

suexec

I installed Apache with FastCGI (mod_fastcgi), suExec and PHP on my local development box. Working perfectly, expecting one thing.

Let's say I have two users:

user1 - /home/user1/public_html
user2 - /home/user2/public_html

I discovered a serious security hole in my configuration: I can include a file from user2 web root in user1 file. How to prevent? Any tips?

php-cgi process is running under correct user.

© Server Fault or respective owner

Related posts about apache2

apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I recently upgraded Ubuntu to the latest LTS edition on my work laptop, which I use as a LAMP development platform. The upgrade was from 12.4 to 14.4. Now I'm having trouble getting apache up and running again. Here is the output from an attempt: antonc@antonc-laptop:/etc/apache2$ sudo service apache2… >>> More
Apache segfault glibc segfault

as seen on Server Fault - Search for 'Server Fault'
I keep getting (about every 5-6 hours) this segfault in apache: [Tue Jun 26 12:43:10 2012] [notice] child pid 26810 exit signal Aborted (6) *** glibc detected *** /usr/sbin/apache2: free(): invalid pointer: 0xb68c2628 *** ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x6ff22)[0xb75aef22] /lib/i386-linux-gnu/libc… >>> More
Localhost not working after installing PHP on Mountain Lion

as seen on Server Fault - Search for 'Server Fault'
I've installed php using brew install php54 --with-mysql, I've set up all the path correctly. which php will give me /usr/local/bin/php php -v will give me PHP 5.4.8 (cli) (built: Nov 20 2012 09:29:31) php --ini will give me: Configuration File (php.ini) Path: /usr/local/etc/php/5.4 Loaded Configuration… >>> More
Apache 2 Virtual Hosts no working on OSX 10.6

as seen on Server Fault - Search for 'Server Fault'
This is my first MacBook and I'm trying to get virtual hosts up and running so as it's going to be my dev machine. I've got apache/php/mysql running fine, the problem is that what ever address I go to I just get one of the virtual hosts I've setup. I can't even get to the root site anymore. I had… >>> More
apache2 error Could not open configuration file /etc/apache2/conf.d/: No such file or directory

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have just upgraded my Ubuntu 13.10 and apache2 is not working. When I try to start the apache2 server it is printing following errors: * Starting web server apache2 * The apache2 configtest failed. Output of config test was: apache2: Syntax error on line 263 of /etc/apache2/apache2.conf: Could… >>> More

Related posts about fastcgi

cant install fastcgi ubuntu server: Package libapache2-mod-fastcgi is not available

as seen on Server Fault - Search for 'Server Fault'
When i try to install fastcgi in ubuntu server 12.04 I get the following error: sudo apt-get install libapache2-mod-fastcgi Reading package lists... Done Building dependency tree Reading state information... Done Package libapache2-mod-fastcgi is not available, but is referred to by another… >>> More
FastCGI + Apache: How to map a url to a specific fastcgi binary

as seen on Server Fault - Search for 'Server Fault'
I have written two C++ fastcgi applications (foo and foobar). I am running apache 2.2 (prefork) with mod_fcgid on Ubuntu 10.x. I want to be able to setup apache so that: http://mywebsite/some/path1?param1=value1&param2=value2 will run the fastcgi app foo AND mywebsite/another/path1?param1=value1&param2=value2 will… >>> More
fastcgi-mono-server2 vs fastcgi-mono-server4

as seen on Server Fault - Search for 'Server Fault'
Not sure if this is a silly question or not. Basically I'm figuring out how to run Mono on Linux, and I'm a Linux no0b. I've got everything up and running, but confused about fastcgi-mono-server. A lot of sites reference fastcgi-mono-server2 while other sites reference fastcgi-mono-server4 When… >>> More
How to configure fastcgi to work with ligttpd in ubuntu

as seen on Server Fault - Search for 'Server Fault'
I am able to run lighttpd on ubuntu 9.10. But when i tried to setup fastcgi with lighttpd by putting this in the ligttpd.conf file: #### fastcgi module fastcgi.server = ( "/fastcgi_scripts/" => (( "host" => "127.0.0.1", "port" => "9098", "check-local" => "disable"… >>> More
Apache 2.2 and FastCGI stops responding, warnings, crashes

as seen on Server Fault - Search for 'Server Fault'
I've seen this question posted a few times using a Google search, with no real answers. I have a multi-threaded FastCGI application running with Apache 2.2 on FreeBSD 7.2. There are a few issues with it, and I am unable to really figure out the source of the problem even after poking through a bunch… >>> More