CGI vs Apache Module

microbluechip

Hi all,

On a windows install of PHP I have seen an increasing trend that many hosting providers have changed their PHP installations to use the CGI executable rather than using the Apache module version or the ISAPI module for IIS.

I am under the impression that this is due to security issues. Can anyone elaborate on this for me or point me in the right direction for more info on this.

laserlight

hmm, the argument that I've heard for a Unix or Unix-like system is that as an apache module, PHP would run with Apache's privileges.

If Apache has root privileges, as can often be the case, PHP would also have root privileges, which would then pose a security problem due to increased likelihood of privilege escalation by exploiting PHP.

I suppose this can be extended to Windows and IIS, where one might look at the Administrator privileges instead.

I think you can look up the PHP manual on security, in particular installing PHP as a CGI binary versus installing as an Apache module.

microbluechip

Thanks for that. This explains the UNIX situation and why many host companies that I have read about have had many hacking attempts on their web servers through PHP. We are shortly heading down the dedicated server route having suffering the perils of shared hosting for many years so it pays to be up to date with these things.

Will go and check the manual.