Stack Overflow
Stack Overflow

Questions tagged [mod-php]

PHP installed as an Apache module

There are (at least) two ways of running PHP, when working with Apache :

  • Using CGI : a PHP process is launched by Apache, and it is that PHP process that interprets PHP code -- not Apache itself
  • Using PHP as an Apache module (called mod_php) : the PHP interpreter is then kind of "embedded" inside the Apache process : there is no external PHP process -- which means that Apache and PHP can communicate better.

When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.

Often, once security is established to the point where the PHP user (in this case, the apache user) has very little risk attached to it, it is discovered that PHP is now prevented from writing any files to user directories. Or perhaps it has been prevented from accessing or changing databases. It has equally been secured from writing good and bad files, or entering good and bad database transactions.

A frequent security mistake made at this point is to allow apache root permissions, or to escalate apache's abilities in some other way.

Escalating the Apache user's permissions to root is extremely dangerous and may compromise the entire system, so sudo'ing, chroot'ing, or otherwise running as root should not be considered by those who are not security professionals.

There are some simpler solutions. By using open_basedir you can control and restrict what directories are allowed to be used for PHP. You can also set up apache-only areas, to restrict all web based activity to non-user, or non-system, files.

70 questions
0
votes
1 answer

dso (mod_php) and FTP/File permissions

I'm a bit baffled here. But it might just be my lack of experience. I have setup PHP DSO (mod_php) and my server runs smoothly and stable. The issue is, though, that in order to run php with includes and everything, I had to set all user account…
eleven59
  • 137
  • 4
  • 15
0
votes
0 answers

Is it possible to make APC cache 1 version of wp-includes only?

I currently have httpd in prefork mode with mod_php and apc. I host multiple wordpress installs on my server but with w3-total-cache i find that my apc cache is caching multiple versions of the same files wp-includes. As all my sites are running the…
JamesSmythes
  • 1
0
votes
1 answer

Unable to link Apache and PHP for execution of PHP files

I'm currently facing an issue with linking Apache and PHP on a Windows system. Here's the problem I'm encountering: I downloaded the PHP ZIP package from https://www.php.net/downloads.php and extracted it to the "php" folder on my C: drive. Then, I…
Sk Miraj
  • 47
  • 4
0
votes
1 answer

How to get a PHP script to execute while receiving a file?

A desktop application uploads a file with arbitrary length (it really could be anything from a few MB to multiple GB) to a PHP endpoint. The PHP server in question is running in Docker. Specifically, it's the Apache 2 + PHP combination (no…
Simao Gomes Viana
  • 326
  • 3
  • 9
0
votes
0 answers

how to convert webage from mod_php to cgi

i know pretty much nothing about coding but i just want to host a premade site. Its a World of Warcraft Vanilla (an old version of the game) database which i downloaded from here: https://github.com/MarkusNemesis/VanillaWoWDB2 i followed the…
Fleksnes
  • 1
0
votes
1 answer

Detecting Whether or not fastCGI is running on a remote server

Pretty much every answer I get, involves phpinfo(), which doesn’t help me. I have an SDK for a PHP-based server that uses Basic Auth (bearer token/secret stuff). However, when the server is running fastCGI, the SDK needs to send the auth as query…
Chris Marshall
  • 4,910
  • 8
  • 47
  • 72
0
votes
1 answer

Apache+mod_php so slow

I have a problem setting up my Apache server with mod_php. I have a website whose index.php page is generated in ~200ms. But Apache serves it in about 1.5sec. Why is this slowdown taking place? If needed, my /etc/apache2/ports.conf file is: Listen…
Max Cruer
  • 100
  • 1
  • 8
0
votes
1 answer

Increase upload_max_filesize as a standalone setting just for phpmyadmin using php-fpm

is there a way to increase upload_max_file_size in phpmyadmin as a standalone php.ini using php-fpm? Does phpmyadmin support standalone php.ini? when using mod_php, I'm able to use the following configuration in .htaccess: php_value…
Kalib Zen
  • 655
  • 1
  • 5
  • 16
0
votes
1 answer

How to find out which 'Apache Configuration File' is currently in use on XAMPP running on Windows10 64-bit operating system?

I'm using PHP 7.3.4 on my laptop that runs on Windows 10 Home Single Language 64-bit operating system. I've installed the latest version of XAMPP installer on my laptop which has installed the Apache/2.4.39 (Win64) and PHP 7.3.4 For checking which…
PHPLover
  • 1
  • 51
  • 158
  • 311
0
votes
1 answer

htaccess - detect mod_php

I'm trying to limit/eliminate duplication. According to my (limited) understanding of some LAMP hosting providers (especially on shared servers) there are some PHP-ini directives that are ignored when set inside the PHP-script, but is accepted when…
user4244405
0
votes
1 answer

phpinfo.php while with apache 2.4 is just returning the code

I am trying to configure PHP with apache 2.4 and everytime I run the localhost/phpinfo.php, it shows me the code. browser used: chrome changes in apache server httpd conf file: LoadModule php7_module "C:/php/php7apache2_4.dll" AddHandler…
Nagendra Singh
  • 47
  • 1
  • 4
  • 10
0
votes
1 answer

Failing to install libapache2-mod-php5 on debian

when I try to install libapache2-mod-php5 on debian(Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2 i686 GNU/Linux) I get the following output: root@debian:~# apt-get install libapache2-mod-php5 Reading package lists... Done Building dependency…
gabrjan
  • 3,080
  • 9
  • 40
  • 69
0
votes
1 answer

Detecting mod_php7 in Apache 2.4 .htaccess fails

Consider the following .htaccess directives: Define PHP_ENABLED Require all denied php_value expose_php Off It just dies with…
user4244405
0
votes
1 answer

php5 running as Apache module gives error 400 (bad request)

server config: VPS with Centos6.5 + Apache2.2 prefork + Php5.3 My server has now Php running as cgi, and I'd like to add another handler for .php5 files to be executed as Apache module, so part of my php.conf looks like below: LoadModule php5_module…
PioTrek
  • 1
  • 1
0
votes
2 answers

.htaccess adding php type

i been tring to add .inc page as php page using .htaccess, but each time i add it to my existing code in the end of the line, it downloads the page rather then process as a php file. my existing .htaccess code RewriteEngine on Options…
Basit
  • 16,316
  • 31
  • 93
  • 154
1 2 3
4
5