PHP-FPM shows PHP source code when accessing http://ip/~username/script.php

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
15,143
Location
GMT +7.00
Hello,

Just upgraded and rewritten all apache configs to the latest available from officials, and ran into a nasty issue:

PHP-FPM shows PHP source code when accessing http://ip/~username/script.php in both cases with AliasMatch and UserDir in /etc/httpd/conf/extra/httpd-vhosts.conf.

I had to completely disable it for security reasons:

Code:
...
    ServerAdmin webmaster@localhost
    #UserDir public_html
    #AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
    DocumentRoot /var/www/html
    ServerName localhost
    ScriptAlias /cgi-bin/ /var/www/cgi-bin/
    CustomLog /var/log/httpd/homedir.log homedir
...

I believe it somehow relates to apache bugs mentioned here: http://forum.directadmin.com/showthread.php?t=45797&p=235844#post235844 right? Or could we get a solution in the nearest future?
 
Yes, I can confirm this. Wow. Depending on the code behind a site, this could potentially be pretty dangerous.

Unfortunately, it seems that there is no interest from the apache devs, in fixing those bugs (features???)
I don't get it, why don't those guys fix this? Are we on directadmin the only ones having these issues?

Best regards,
Frank
 
Back
Top