(Ping! Zine Special CPanel Edition) – PHP is one of the most popular languages on the Web, powering millions of websites. As a result, PHP has become the standard offering for many shared hosting companies. There are also many ways to run PHP on your servers. There are performance, stability, and security trade-offs for each method.
Many dedicated servers run PHP as an Apache module as their default. Yet once you move the setup to the shared server, security breaks down. The major issue with shared hosting is there are multiple users running code on your servers not audited by your staff. This means you have to make sure that one user cannot snoop into or modify the data of another user.
However, because mod_php is an Apache module, all PHP scripts inherit Apache permissions. This means any protection that would usually be granted by UNIX user permissions does not work. Any file that can be read by Apache can be read by a customer’s PHP script. With that, attackers can pick up MySQL passwords for another user, which would let hackers steal confidential information, deface websites, and inject malware. The issue is made worse by the fact that scripts and programs executed by the PHP script also run with Apache permissions. Even if there is some hope that PHP sand boxing would stop malicious PHP script from opening other users’ files, once PHP script can execute a program, that program can do pretty much anything.
To combat that issue, PHP has the safe_mode, open_basedir directive, and ability to forbid some PHP functions, such as functions that are used to execute scripts. Yet even with such safeguards, it is very hard to protect against all possible attacks. While we can expect the PHP core to be fairly secure, the large number of extensions that are shipped with PHP may have their own security vulnerabilities, making such a setup fairly easy to exploit.
This is probably one of the reasons the PHP team gave up on safe_mode altogether in PHP 5.4.
Read more in the Special cPanel Edition – CPanel & WHMCS: Combining Powers!