Here’s a potentially useful note for anyone upgrading to Debian Wheezy on a system that uses Apache2 + FCGI + PHP. If you’ve configured it to run using one of several guides (like these: https://community.x10hosting.com/threads/debian-apache-2-2-fastcgi-php-5-suexec-the-easy-way.148894/, http://davejamesmiller.com/blog/how-to-set-up-php-fastcgi-with-suexec-on-debian) then you might well be bitten by a similar issue to that reported in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687307.
Previously, one could define config such as the following in an apache2
AddType application/x-httpd-php .php
AddHandler php-fcgi .php
Action php-fcgi /fcgi-bin/php5-fcgi
This would instruct Apache to use the handler “
php-fcgi” to process .php files – with the “Action” referencing a wrapper held at
/fcgi-bin/php5-fcgi (suitably aliased in the vhost). This all looks well and good and doesn’t appear to change between squeeze and wheezy (Apache is still at 2.2).
However, if you do a straight upgrade, you may find that your server starts serving out php files in plaintext (not only is your site down, but it’s a security risk as well with potential connection details listed in config files). In Wheezy, the php MIME types have disappeared from
/etc/mime.types – php5-cgi now includes two files (in
/etc/apache2/mods-available) to try and correct the missing MIME type definitions. With php5-cgi enabled in the webserver, the config as follows is included:
This sets the handler appropriately. With this set, Apache serves out the file as text, instead of using the relevant action “
php-fcgi” - the FilesMatch directive overriding the old config. The fix is reasonably simple – comment out the
AddHandler in the conf.d file and change the Action line so you have:
Action application/x-httpd-php /fcgi-bin/php5-fcgi
In the case you just want sidewide php5-cgi with no suexec, then you don’t even need the above – in
mods-available, just uncomment the last section of the
php5-cgi.conf file – this has a similar “
Action” directive to that above. I keep the above as I use suExec to run the fcgi processes under individual accounts (you’re unable to call outside of the suexec root, and it’s easy to repoint the fcgi-bin location appropriately in each virtualhost).
(Note that this type config appears also to be not vulnerable to execution of files of the type
evil.php.jpg thanks to the FilesMatch directive in the module .conf)
Featured image adapted from work by W. Rebel (Wikimedia Commons)