[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#402010: How to deal with #402010?

On Sun Apr 06 17:32, Roland Mas wrote:
> sean finney, 2008-04-05 11:59:31 +0200 :
> [...]
> >> RequestHeader set FooPassword very-secret-credentials
> >
> > i suspect php users will still be able to find that out, in the same
> > way that they can read ssl private keys from the webserver's memory
> > (you *did* know they can do that, right? :)
> Erm, no, I didn't.  Is that supposed to happen (by design), or is it
> just a bug in the PHP interpreter?  It sounds like a severe security
> problem...

If you use mod_php then your process is running with the same uid as the
web server, ergo, it can read the memory of the apache process. The php
interpreter doesn't have much to do with it, as long as system() and
friends are enabled.

Matthew Johnson

Attachment: signature.asc
Description: Digital signature

Reply to: