Results 1 to 7 of 7
  1. #1

    PHP as Apache Module or CGI?

    I am currently using PHP in CGI mode, but I have a user that wants PHP installed as an Apache Module. He says that it is more secure.....is this true?

    Also, is there a way of giving users the choice to run it as CGI or Apache module on the same server, or am I talking nonsense?
    Last edited by kshazad86; 02-19-2011 at 04:44 PM.

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    What sort of server do you run? Is this a shared hosting server or are you the only user of it? I'd personally go for FastCGI assuming you have a fair amount of RAM. (FastCGI and suPHP will offer the best overall security, but suPHP will be a bit slower.)
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  3. #3
    Yes, its a shared hosting server and FastCGI is enabled.

  4. #4
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    Quote Originally Posted by kshazad86 View Post
    Yes, its a shared hosting server and FastCGI is enabled.
    Then leave as is. That's the best all around solution for performance / security. I mean there's LiteSpeed if you're interested in going that route, but for Apache I would stick with FastCGI.

    Edit:

    Forgot to mention that running mod_php is a bad, bad idea in a shared hosting environment. The PHP processes are executed as the web server (nobody or httpd) whereas with suPHP or FastCGI they are executed as the individual user.
    Last edited by Patrick; 02-19-2011 at 06:16 PM.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  5. #5
    Join Date
    Jan 2010
    Location
    San Francisco
    Posts
    1,799
    Agreed, mod_php is not the way to go on a shared server.

  6. #6
    Join Date
    May 2006
    Posts
    1,398
    I reccomend suphp all the way. Apache fastcgi is good too but has some inherit problems.

    Best way i can explain it as far as security is - mod_php is great for a dedicated server running one site and is secure if your permissions are. For shared server it is kinda more secure for the user but not the server as a whole. For example if a hacker gets a php shell on a site running mod_php then he can only write to things that are world writable or owned as nobody so that is not much on a basic site setup. With mod_php on a shared server he can cat /etc/passwd and do kind of like a brute force on common file names to read config files then connect to user's mysql or find all world writable directories. Can be done whether open base dir is on or not. And also tracking abuse is much harder with mod_php as it runs as same user as server.

    With php running as user in any way such as *cgi or suphp then when a hacker gets php shell on a site they might as well have logged in ftp as the user, they would be under php as the user and would have all permissions to the user files, everything can be changed or deleted.

  7. #7
    I agree jon-f's point.
    mod_php is great for a dedicated server running one site but not good for shared server

Similar Threads

  1. whats the difference between running PHP using Fast CGI or as an Apache Module?
    By luke_a in forum Hosting Security and Technology
    Replies: 5
    Last Post: 03-11-2008, 08:59 AM
  2. PHP as Apache module vs. PHP as CGI module
    By DeNasio in forum Hosting Security and Technology
    Replies: 5
    Last Post: 11-20-2007, 06:10 AM
  3. Moving hosting - PHP CGI vs. Apache Module
    By panorama in forum Reseller Hosting
    Replies: 8
    Last Post: 03-03-2006, 02:59 PM
  4. PHP as CGI / as Apache Module
    By trader7702 in forum Hosting Security and Technology
    Replies: 5
    Last Post: 06-08-2004, 05:53 PM
  5. PHP running as CGI vs Apache Module
    By msimonds in forum Hosting Security and Technology
    Replies: 10
    Last Post: 05-06-2004, 09:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •