PHP protection script

Question

PHP protection script

I had a terrible problem a few days ago. I installed updates on my ubuntu server, which is the host for about 10 websites. During the upgrade, something went wrong, and apaches mod_php turned off. As a result, PHP support disappeared, and within a few minutes (until I realized what was wrong), users were invited to download PHP scripts, instead of seeing the website. Needless to say, there is nothing worse than exposing your script sources to the whole world, especially when the credentials in the database are stored internally.

Question: How to configure apache so that this situation is not possible in the future? What lines should be added to apache2.conf so that PHP files cannot be loaded if mod_php is disabled?

+7

security php apache

Silver light Dec 02 '10 at 10:07

source share

2 answers

A safer approach would be to simply not put things that you do not want to receive in the root directory of the document in the first place. See My answer here for more details; the basic idea is that if you never want a file to be accessed by a URL, do not put the damn file in an accessible URL. 99% of your application code should not be under the root of the document; it really doesn't matter what you do with the apache / php configuration, you are still safe.

+5

El yobo Dec 02 '10 at 11:24

source share

Vladislav Rastrusny · Accepted Answer · 2010-12-02T10:14:04+0000

Just add the following to .htaccess in your root directory

 php_admin_flag engine on

In this case, the user will receive an HTTP 500 error trying to read any file from this directory below, because no module defines the php_admin_flag directive if mod_php is disabled.

PHP protection script

More articles: