That is one of the biggest problems with a default install of PHP at an ISP, especially for sysadmins who don't read the manual :-(. It is not a PHP security hole at all, though, because the PHP developers long ago devised a way to deal with this. This problem can be easily fixed, if the ISP takes just a few changes to the php.ini configuration, for example:
safe_mode = On
doc_root = /usr/local/apache/htdocs
user_dir = public_html
(Assuming PHP is running as an Apache module) this would prevent scripts running in a user's directory from opening files outside of that user's directory, and it would prevent all PHP scripts in general from opening files in other locations on the server. In this example, you would have the user's directory in the traditional Unix "/home/username/public_html" location and would just use Apache virtual hosting to resolve that to the domain name. There are more security steps that can be taken, if you look at the following:
I would recommend you ask your hosting company if they have taken this type of precaution, and if not, either demand it of them, or switch to an ISP that does.
Now the issue of users actually having shell access on the system and manually browsing other users' files should be dealt with using standard Unix user/group security measures. It should be no problem to allow a user's files to be read by Apache user "nobody", but not by other users in the system. Also, all of this will be less trouble once ACLs are standardized in Unix systems (FreeBSD version 5 will have Access Control Lists built in, and I believe there is work underway to do this in Linux also).
