So I learned something about mod_mime today that made my jaw drop.
The default way of telling apache to parse a php file looks something like this:
AddHandler php5-script .php
If you install php via the command line on RHEL 4,5 or 6, this is how it sets it up.
What I didn't know is that mod_mime expands the match (.php) to anywhere in the file name.
So test.php or test.php.csv or test.php.jpg would all be passed to the php handler to be executed.
That's a big deal when your application accepts file uploads and is only type-checking the last file extension.
Magento, expression engine, wordpress, etc…
The workaround is to only apply the php handler to files which end in ".php"
And for a little extra 'security', disable php for a directory if you're accepting uploads.
php_flag engine off
Which I'm going to go back and change on any server I've ever setup.
I learned this tid-bit from a security advisory from magento.
UPDATE: You may also see a lot of folks who recommend turning on "open_basedir" in php to lock thinks down.
There is a cavet there too. When "open_basdir" is in use, php disables the realpathcache.
This makes loading/including files very slow.