Mark Rogers mark@quarella.co.uk wrote:
Is it possible to prevent Apache from running a script from a writeable directory?
Yes. Options -ExecCGI for that directory and redefine things like .php to not be handled by their apache modules.
You should be able to find the enabling lines in your Apache configuration file, and so the disabling lines should be obvious (IIRC, an enabling line of AddHandler php-script .php suggests a disabling line of RemoveHandler .php or similar).
An alternative global approach is to configure your Apache (User and Group directives) and/or filesystem (chmod g+s or u+s) so that uploaded files appear with certain user or group ids which are not allowed to run scripts by suExec or similar. I do that on some servers.
On most hosting servers I run, I try to set things up so that all web scripts runs as a user of that domain and there are careful rate and resource limits (outgoing emails, outgoing connection attempts, and so on), so if a user uploads a dodgy plugin and doesn't secure it, it probably only trashes their own site and degrades their own service until it sets my alarms off.
Hope that helps,