[quote:7c03b6bbe3][i:7c03b6bbe3]Originally posted by Tim Greer[/i:7c03b6bbe3]
Safe_mode, opendir, etc. are better than not, but trivial. A PHP script can be coded to bypass these settings anyway. I don't believe that it relates very well to 'security'. I'd suggest people run PHP as CGI if they are concerned about security, and use SuEXEC for CGI. You can configure the web server to run PHP scripts in their usual manner, so users' don't need to change the permissions for .php files, nor rename it to any other file extension, nor add #!/usr/bin/php to the top of the script. PHP embedded in the httpd process is obviously faster, but few clients will run scripts written well enough anyway and usually end up consuming a lot of resources. With SuEXEC and CGI you can limit their resource usage, have better tracking or processes and abuse, spam, etc.
I personally don't see a huge increase in process time with PHp as a module or as CGI. Of course this doesn't help for other modules like mod_perl, mod_python, etc., as mentioned earlier, so a similar solution would need ot be created for those if you use them. For that matter, some type of wrapper (which would need to be carefully coded with a lot of things in mind) would be best and just run it so anything (module or not) will pass through it. Of course that's not an easy task and worse than hacking the Apache source or modifying modules and components, would having to pass through this wrapper which could result in a slight decrease in performance (which goes without saying for each additional function that needs to be run).
However, since most servers run PHP and CGI, PHP *as* CGI might be a valid solution, as you can then safely restrict user's from ever being able to access the other user's account directories from FTP, shell, the web server (via CGI) and so on. Though, some people really frown on the idea of running PHP as CGI, but I think it's a pretty good solution for a lot of problems I consider more alarming than a slight speed increase or overhead reduction -- again, since few scripts seem to be coded well anyway and consume a lot of resources, at least with SuEXEC you can better control them.[/quote:7c03b6bbe3]
Tim Greer how could you be safe from perl program such this ?
http://www.rohitab.com/cgiscripts/cgitelnet.html
(.. this is not a ssh client , it's a perl program which emulate shell using perl commands) .