Top Nav

Archive | PHP

Disable PHP zlib.output_compression

If you need to disable zlib output compression from the .htaccess file, then just add the following line to the top of the file:



To Many PHP Session Files

I seen several servers with high traffic PHP sites hosted on Plesk servers building up an excessive number of PHP session files in /var/lib/php/session. Typically we discover this problem when the server runs out of inodes on the root filesystem.

Plesk provides a cronjob that runs hourly to clean up PHP session files:

For low traffic sites this script work just fine. But for high traffic sites with thousands of sessions per hour the script is too slow and can’t keep up with the rate that files are created.

The problem is the script check each files using the “fuser” utility to determine if the file is in use. This is a slow process. So on these high traffic servers I’ve found it necessary to remove the “fuser” check. Edit /etc/cron.hourly/plesk-php-cleanuper and change this line:


Now the session cleanup will run smoothly.


Apache mod_fcgi on CentOS 6.4

There are a lot of tutorials on how to install mod_fcgi with suexec out there but many are incomplete, outdated or just don’t work. One that does work is here:



Plesk 11.5 with Multiple PHP Versions

The latest version of Plesk support multiple PHP versions. The user or admin can select the version from the control panel.

Once you have the PHP versions installed use  the /usr/local/psa/bin/php_handler utility to inform Plesk. for example:

Also here’s an article that shows how to build the alternate version on Debian, including accurate info about necessary patches:



Local File Inclusion Attacks

We’ve seen several sites compromised in the last few weeks using a “local file inclusion” vulnerability with “php://input”. Here are some sample log entries: - - [23/May/2013:12:23:54 +0000] "POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.860.0 Safari/535.2" - - [29/May/2013:08:38:22 +0000] "GET /?-n+-dallow_url_include%3DOn+-dauto_prepend_file%3D HTTP/1.1" 200 1104 "-" "Opera/9.80 (Windows NT 6.1; U; MRA 8.0 (build 5745); ru) Presto/2.10.229 Version/11.64"

This page explains the attack:

One of the compromised sites was Expression Engine and one was Drupal.

Here’s a bit of PHP code that I added to index.php to stop further attacks:

Obviously this is a very serious threat. We would advise all sites to test for this vulnerability.