heya, On Sunday 06 April 2008 05:32:39 pm Roland Mas wrote: > > i suspect php users will still be able to find that out, in the same > > way that they can read ssl private keys from the webserver's memory > > (you *did* know they can do that, right? :) > > Erm, no, I didn't. Is that supposed to happen (by design), or is it by apache's design, any loaded module (like mod_php, mod_python, etc) can read the memory contents of the apache process. i think they make the assumption that since the admin won't intentionally load an evil apache module that this isn't a problem. however, if one of the modules (via vulnerability or poor design) allows such access, then you're still in this situation. they (apache devs) could of course make this a non-issue by compartmentalizing things (i.e. have a seperate process/uid for doing ssl encoding/decoding), but my guess is that this was either not a concern and/or too much work and/or too much performance cost to be done the Right Way. > just a bug in the PHP interpreter? It sounds like a severe security > problem... the... ehem... "history" of the php interpreter is that it is often easy to leverage small bugs and design flaws to get this information. however, i don't think this is php-specific. if someone has a system configured with mod_python that i could play with, i might be able to verify that :) sean
Attachment:
signature.asc
Description: This is a digitally signed message part.