Seems default setting in apache is not safe


<IfModule mod_php4.c>
AddType application/x-httpd-php .inc .php .php4 .php3 .phtml
AddType application/x-httpd-php-source .phps
</IfModule>
<IfModule mod_php3.c>
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source .phps
</IfModule>
<IfModule mod_php.c>
AddType application/x-httpd-php .phtml
</IfModule>


which will run a.php.mht as php. hackers can find a way to upload a none-php file such as use buggy forum software and gain control of the hosting account.

change the setting to something like this can solve the problem.


<IfModule mod_php4.c>
<FilesMatch "\.(php|inc|php4|php3|phtml)$">
AddType application/x-httpd-php .inc .php .php4 .php3 .phtml
AddType application/x-httpd-php-source .phps
</FilesMatch>
</IfModule>
<IfModule mod_php3.c>
<FilesMatch "\.(php3)$">
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source .phps
</FilesMatch>
</IfModule>
<IfModule mod_php.c>
<FilesMatch "\.(phtml)$">
AddType application/x-httpd-php .phtml
</FilesMatch>
</IfModule>


What do you guys think? is this enough or there is a better way?