sur le wiki anglais / securing your site :
http://wiki.modxcms.com/index.php/Securing_your_site
Extraits mail hebergeur (lu trop vite..) :
Dans les 2 cas, notez que PHP tourne en CGI avec suexec, ce qui signifie
que les scripts PHP s’executent bien sous votre identité (la meme qu’en FTP)
avec tous les avantages que cela implique (en terme de manipulation de fichiers
notement). Par contre cela signifie également qu’un script PHP peut potentiellement
faire beaucoup de dégat en cas de bug ou faille de sécurité, mefiez vous donc
de scripts connus pour leurs problèmes de sécurité
sur le wiki anglais / securing your site :
Many scripts store for example a database username and password to the PHP file and so every client on that server could read your PHP files to retrieve your password and access your databases. This is clearly not very secure.
So what can be done? This is where systems like suPHP and PHPSuexec come into play. suPHP and PHPSuexec make PHP run as CGI under your own user/group level. This means that with suexec enabled your PHP scripts are executed under your user and you don’t have to have your files and folders with 777 permissions anymore. In fact, If you use 777 permissions on your scripts or directories, they will not run and will instead cause a 500 internal server error when attempting to execute them. This is done to protect you from someone abusing your scripts.
When suPHP or PHPSuexec is enabled, your scripts can have a maximum of 644 permissions (ie. read/write by you, read by everyone else) and directories can have a maximum of 755 permissions (ie read/write/execute by you, read/execute by everyone else). So in summary, PHP running as CGI/suexec is much more secure than the older Apache module method.