e107 + mod_php = evil

Wow. Thanks guys. I've had SO much trouble thanks to that e107 software on a server I semi-manage where e107 was compromised and, with php running as a module within apache, with that single apache user for all virtual hosts, they pulled site config files w/mysql passwords off every other php based site, then all the user accounts details from all those databases, and some stuff even more serious (it was all very nicely logged! That &cmd=xxx ended up in the apache logs as nearly all requests were GETs).

It's such a disastrously insecure setup, yet very common, I'm completely amazed by it. Anyone running php virtual hosts out there, I highly recommend mod_fcgid, a rewrite of the earlier fastcgi that runs well and stable and talks to php instances that run under their own UIDs through pipes. In most cases it shouldn't need changes to existing php code, but in some cases it can do, however it's so worth it, php should not be run any other way*.

(*or at all, there's -everything else- out there that's better!)