Hi guys/gals,
Please excuse my selective blindness but I didn't notice this thread was here untill AFTER I posted it in the technical help forum.

Here is a link to that post:
http://justlinux.com/forum/showthread.php?s=&postid=499900#post499900

Here is the meat of my original post:

Howdy Gang,
Here is the story. I have a machine running redhat 7.2 with Apache (1.3.22) and PHP (4.2.2). I made an html file (example.html) that looks something like this:

example.html:


<?
phpinfo();
?>


Nothing fancy.. just a simple HTML file that contains php code. Here is the problem. When the permissions are set to something non user executable (644):
-rw-r--r-- example.html
Apache reacts in a predictable way by outputting the source of the file... NOT interpretting the php code.

If the permissions are set to something user executable (744):
-rwxr--r-- example.html
Apache treats the html file exactly as if it were a php script. If you hit the url you will get the phpinfo spit out!?!?!? This isn't THAT bad you might think, but in my case it is a huge security risk.. php code executed from *.html files:eek:

I've scoured the Apache configs and haven't been able to find anything. My initial thought was that apache was configured to recognize .html files as php scripts.. but that isn't the case. Does anybody have any clues or has anyone run into this before??

Thanks a bunch and have a great day :)

I was under the impression that that was a normal function of PHP. I think you are supposed to be able to have PHP execute in a html doc.


I just tried to do the same thing with a few of my php files (renamed to .html and changed permissions to 777) but it did NOT work for me. It just showed the code.

I think there is a setting in httpd.conf that can set whether PHP is parsed from html docs.

Read here;

http://www.php.net/manual/en/configuration.php

There is a section that might shed some light on this. I think it's the second post down. The guy talks about getting PHP to run under html formats although he stated that doing that would cause performance issues.

I'm sure there is a setting n httpd.conf that is referencing .html and php. Find it and get rid of the html portion to disable it (I guess). I looked at a few places in my config, added the .html extension but was still unable to get PHP to execute under a html tag. I don't have a need for that as I'm happy with the php tags.

AddType application/x-httpd-php .php .html

I thought that was the line that tied html to PHP but I added the .html as noted above but it didn't work for me. If you have this line, I would ditch the ".html" portion and try it again.

Like I said, I think it's a normal function to execute php in html files but I don't think you want to do it either.

Sorry if I'm off base......

Hey Seminole,
Thanks for the reply! I think the 'normal' config for apache depends on your distro. This is my first experience with a true red hat system. I've previously worked with Debian, SuSE, mandrake, and Slackware and their packages never configured apache to interpret PHP in .html files.

I made certain to check for a funny line that associated php with .html files and didn't find one. What I did find was that this behavior is very similar to having 'XBitHack' turned on for SSI (server side includes). Here is a link:
http://httpd.apache.org/docs/howto/ssi.html

So... here is my new problem. I don't have the XBitHack directive anywhere in my conf files, however grep does tell me that 'XBitHack on' was found in the binary file mod_include.so. I have tried turning XBitHack off, but I still get the same reaction. I then decided to turn off all server side includes. I commented out all the load and add module lines, option +include lines, and server-parsed lines, but to no avail, the same behavior persists!!:mad:

Does anybody know how to turn the XBitHack off or how to disable SSI?

Anyways... thanks alot for your reply seminole... really got my brain juices flowin ;)

have you tried renaming the file from filename.html to filename.php?

Checkt his out.....

http://forums.devshed.com/archive/5/2001/03/1/11358

It lists the same line as above and shows what I was getting at. I have a base install of RH 8 as well and have no Xbit entries....

Apparently that module is to allow SSI. I don't know how to turn ot off....

If you can, locate that portion of your httpd.conf and paste it here.



# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
AddType application/x-tar .tgz

AddType application/x-httpd-php3 .php3 .html /* for PHP 3 */
AddType application/x-httpd-php .php .html /* for PHP 4 */



It's basically telling the server to use the PHP backend to handle .html tagged files. At least that is my interpretation.


Also, when you make changes to your smb config file, you have to restart the service for the changes to take effect. Do you think that you would have to restart httpd to get the changes in httpd.conf to take effect? You might want to try it....
I know that I DIDN'T restart httpd when I was doing my testing. Perhaps that is why the changes didn't have an effect.

service httpd restart

or

service httpd stop
service httpd start

hmmmmmmm

I'm really interested in this now. I'll see what else I can dig up.......

Actually, that is it......


I just set the config the same way it is listed above (including the red ".html" portion.

I restarted httpd and then renamed my index.php file to .html and then set the privs and it parsed the PHP perfectly.

I'd load up a screenshot but I'm way too lazy right now.

Bascially this may not fix your issue but it sure as heck confirms to me that at least I wasn't crazy in my theory and I actually found the place to fix it (with my limited knowldge of Linux). :).

That's what all this Linux stuff is about right? I love this OS!

Anyway, paste your config and we'll see if perhaps your setup is the same or different than mine.

Thanks!

HAHAHA

I actually added ".asp" in the conf instead of .html. Renamed the index.html to index.asp and guess what......

PHP parsed perfectly. I guess it would be kinda cool to have that enabled on a Linux server. Basically you could fool folks into thinking that the site was Win Based. You could do the same thing with .coldfusion as well.


That's interesting. I would guess that you could probably have ".foo" or ".slappy" files and they would also work. I don't know what the performance problems would be but it is kinda cool.

I'll probably go play some more.

Just remember to restart the service between changes.


EDIT:::::

I'll just link this instead of inserting the pic (It would blow the thread all to hell cause it's huge).

http://telecomgeeks.com/Misc/snapshot1.png

it's a quick screenshot with the conf file in it's current state. Note the lack of .html tags. There are two browsers, one looking at index.slappy and it displaying the simple print. the html is not working since it's file association is no longer referenced.