How to tell Apache to be more strict about files with multiple extensions. The bolded text is what was necessary to make the browser show PHP as plain text on Dreamhost.

One necessary approach to solve this vulnerability is to use a better value with fileDenyPattern within your application. On the other side, another approach could be to modify the Apache configuration (maybe through a .htaccess file on shared webhosting) to make Apache less "sloppy" (from our perspective) when dealing with multiple file extensions. In the unlikely case there are already files existing in your webspace you might consider to force Apache to definitely only treat files as PHP scripts that have a file name with ".php" as final extension.

This will display the content of the files as text/plain:

ForceType text/plain

This will deny to access the files via HTTP at all:

Deny from all

Make sure that you don't "switch off" PHP files that belong to the TYPO3 system, so don't use the FilesMatch directive in a place where it can affect the contents of the folders typo3, typo3conf or t3lib.

A more general approach to prevent Apache's multiple file type handling would be to unregister PHP file types and only map files based on their last extension to their according handler. In our case putting:

ForceType text/plain
RemoveHandler .php .php3 .php4 .php5 .php5 .phps .pht .phtml

or

RemoveType .php .php3 .php4 .php5 .php6 .phps .pht .phtml

into virtual host configuration or an .htaccess file would make the trick. Then we register the handler again according to the last file extension with

SetHandler application/x-httpd-php


SetHandler application/x-httpd-php-source

Caution: According to our experiences, when using Debian based Linux distributions, you additionally have to comment/remove the listed PHP mime types from /etc/mime.types. Otherwise the changes above don't have any effect.