Beware of the default Apache 2 config for PHP
Note: This article was originally published at Planet PHP on 31 August 2010.
AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php-source .phps
The non-obvious problem with the above is that it will allow not only "file.php" to be treated as PHP scripts, but also "file.php.txt", which means that any file containing ".php" in its name, no matter where in the filename, would be treated as a PHP script. This of course creates a rather nasty security hole, since many upload file validation tools, only check the final extension. Consequently allowing the user to by-pass the validation, by simply prefixing another "harmless" extension like .txt, .pdf, etc... to the filename, but still get the code to execute.
To mitigate this problem you should instead use the following configuration, that would only pick-up of files ending with a .php extension.
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps