Fcgi starter script is editable by client

short description

A client may modify his own fcgi starter script in /var/www/php-fcgi*/web and add shell commands resulting in the commands being executed as www-data

What should happen instead?

This should not be possible

Deb Jessie w/ apache2

All others untestes