suPHP is not maintained any longer and will not receive any further
updates not even security patches.
If you want to continue using suPHP, feel free to create a fork (the
complete code is licensed under the GPL version 2).
If you are looking for an alternative, have a look at
php-fpm.
There also is a
fork of suPHP
maintained by John Lightsey on GitHub.
|
suPHP is a tool for executing PHP scripts with the permissions
of their owners. It consists of an Apache module (mod_suphp) and a
setuid root binary (suphp) that is called by the Apache module to
change the uid of the process executing the PHP interpreter.
|
| suPHP 0.7.2 released | 2013-05-20 |
|---|
suPHP 0.7.2 has been released.
This release fixes a security issue that was introduced with the 0.7.0
release. This issue affected the source-highlighting feature and could
only be exploited, if the suPHP_PHPPath option was set. In this case
local users which could create or edit .htaccess files could possibly
execute arbitrary code with the privileges of the user the webserver was
running as.
|
| suPHP 0.7.1 released | 2009-03-14 |
|---|
suPHP 0.7.1 has been released.
This release fixes a bug causing problems with symbol links in the
script path, which was introduced with the 0.7.0 release.
|
| suPHP 0.7.0 released | 2008-12-25 |
|---|
suPHP 0.7.0 has been released.
With this release, several features that have been on the wish
list for a long time, have been realized:
- The module for Apache 1.3 only supported AddHandler for older
releases. This has been fixed: Now you can use AddType, too.
- PHP source highlighting: Files of MIME type
application/x-httpd-php-source will now be shown with source
highlighting. Remember to set the suPHP_PHPPath directive to
enable this feature.
- suPHP_AddHandler and suPHP_RemoveHandler directives can now
be used on per vhost level, too.
- You can configure more than one docroot and use different
variables (like user name or home directory) within docroot
and chroot settings.
Attention: The configuration syntax for suphp.conf has
slightly changed with this release. Be sure to read the documentation
before upgrading, because existing configuration files will not work
without changing them.
|
| suPHP 0.6.3 released | 2008-03-30 |
|---|
suPHP 0.6.3 has been released.
This is a security fix release, fixing tow race-conditions
concerning symlinks:
- An attacker could create a symlink linking to a file of his
own, then change the symlink to point to a file of another user
and finally change the link back to a file of his own. This
attack requires very accurate timing, because the link has to
be changed twice at the right moments. However, if the attacker
succeeds he can execute his own code with the permissions of
a different user. This will be less harmful when suPHP is run
in paranoid mode, as the attacker has to place his link in a
directory that is associated with another user.
- There is a second vulnerability concerning symlinks that
point to a directory. This vulnerability is even more harmful
as the link has to be changed once only, which makes the
timing much easier. As the other vulnerability this
issue is most harmful if suPHp is running in owner mode.
All users are strongly advised to update immediately.
|
| suPHP 0.6.2 released | 2006-11-19 |
|---|
suPHP 0.6.2 has been released.
The following problems have been fixed with this release:
- Double free() problem with certain versions of GCC
- Dead locked Apache processes when a script wrote more
than 4096 bytes to stderr.
- Problems with PATH_INFO environment variable
Features / improvements:
- Apache 2.2 compatibility
- (Basic) mod_userdir support
|
| suPHP 0.6.1 released | 2005-12-01 |
|---|
suPHP 0.6.1 has been released.
This is mainly a bugfix release (hopefully) fixing the following
problems:
- Buildproblems due to APR headers not being found
- HTTP 500 Errors when a script sends a Last-Modified-Header
- suPHP is now reading its runtime configuration from a file
- Potential buffer overflow in mod_suphp.c for Apache2.
This overflow could not be exploited as the relevant
parameter to the function call was constant, however it was
fixed as it might have grown to a problem if this function
had been used by other parts of the code with variable
parameters.
- Some code using STL was changed to gain better compatibility
with old GCC versiosns (credits to Jeremy Chadwick for finding
the solution)
- Typos in mod_suphp.c for Apache 1.3 (credits to Johan Ekberg for
finding them)
There is a small new feature, too:
- chroot() support was added. In the configuration file, a path
can be specified, in which suPHP will chroot() before executing
the script.
|
| suPHP 0.6.0 released | 2005-06-11 |
|---|
suPHP 0.6.0 has been released.
For this release suPHP has been completely rewritten.
This in an (incomplete) list of only the most important changes:
- Complete code rewritten now using C++ instead of C
- Automake based build system
- suPHP is now reading its runtime configuration from a file
- Apache 1.3 module completely rewritten - now all modes are
supported with Apache 1.3, too
- Support for concurrent use of different PHP version (e.g. 3, 4, 5)
This release was sponsored by Techno-vi - Wanix.
Thanks to the sponsor!
|
| suPHP 0.5.2 released | |
|---|
suPHP 0.5.2 has been released.
There are several changes in comparison to version 0.5.1:
- Added support for UIDs/GIDs not listed in system configuration
when using "force" or "paranoid" mode
- Fixed bug in configure script that caused autoconf to assume
wrong values
- Changed behaviour for setting "REDIRECT_STATUS": Now it is
only set to "200" when it has not already been set by Apache
- Fixed bug causing environment variables with values ending with a
'=' sign to be unset
|
| suPHP 0.5.1 released | |
|---|
suPHP 0.5.1 has been released. Version 0.5.1 is mainly a bugfix
release, fixing the bug causing a segmentation fault in the Apache
2 module and improving the handling of environment variables.
Instead of setting unneeded / unwanted environment variables to an
emtpy string, they are now completely removed from the environment.
|
| suPHP 0.5 released | |
|---|
After several days of coding and an even longer time of testing now
suPHP 0.5 has finally been released.
The most important improvement is Apache 2.x compatibility but there are
are a lot of more features, including improved logging and compatibility
for more platforms. See the ChangeLog in the suPHP distribution for
details.
|
| Solaris patch for suPHP 0.3.1 | |
|---|
Due to differences in the system APIs between Linux and Solaris suPHP did
not work on Solaris systems.
Now, James O'Dell has created a compatibility patch for Solaris
(which might also work for IRIX). You can get the
patch from the
suPHP download archive.
|
| suPHP 0.3.1 released | |
|---|
suPHP 0.3.1 has been released. In this version a bug concerning the
"--disable-checkuid" option has been fixed.
If you suceeded in compiling suPHP 0.3 there is no need to upgrade to
version 0.3.1.
|
| suPHP 0.3 available | |
|---|
suPHP 0.3 has been released. The most important change concerns the build
system which is now based on GNU autoconf. Due to this change building
and installing suPHP should be much easier now.
A problem which was sometimes caused by the so called "supplementary
groups" feature has been fixed: In the past, users gained permissions
of the group the Apache was running as. Now, they have exactly the
permissions of the groups, which they are a member in.
Besides some small changes have been made in order to make suPHP work
with scripts whose UIDs/GIDs are not listed in /etc/passwd respective
/etc/group. See the documentation for details on this change.
|
| Patch fo suPHP on FreeBSD available | |
|---|
Clement Laforet has created a
patch to make suPHP
work on FreeBSD without having to modify the configuration.
The patch was made for suPHP 0.2.2 but will probably also work with
suPHP 0.2.3.
|
| French documentation for suPHP now available | |
|---|
The documentation included within the suPHP packages is now available
in French language,
too.
Thanks to Clement Laforet for translating the docs!
|
| suPHP 0.2.3 released | |
|---|
In version 0.2.3 a small bug, which made it possible to circumvent
.htaccess security when FollowSymlinks was activated, was fixed.
|
| Bug in suPHP 0.2.1, version 0.2.2 released | |
|---|
In the package with suPHP 0.2.2 the file "suphp.h" was not included.
For this reason suPHP 0.2.1 failed to compile!
In suPHP 0.2.2 this file is included again, so there shouldn't be this
problem any more.
|
| suPHP 0.2.1 now available | |
|---|
|
In suPHP 0.2.1 a bug, which caused the suPHP_ConfigPath option not
to work on some PHP installations, was fixed.
|
| German documentation for suPHP 0.2 now available | |
|---|
The documentation included within the suPHP packages is now available
in German language, too.
Thanks to Jonas Pasche for translating the docs!
|
| Changes in version 0.2 | |
|---|
- Added support for (de-)activation for each VirtualHost defined in
the Apache configuration
- Added support for different php.ini's, configurable in the
Apache config
|
|
|
Homepage
