Re: Bug#402010: How to deal with #402010?
- Date: Sun, 6 Apr 2008 19:37:19 +0100
- From: Matthew Johnson <mjj29@xxxxxxxxxx>
- Subject: Re: Bug#402010: How to deal with #402010?
On Sun Apr 06 17:32, Roland Mas wrote: > sean finney, 2008-04-05 11:59:31 +0200 : > > [...] > > >> RequestHeader set FooPassword very-secret-credentials > > > > i suspect php users will still be able to find that out, in the same > > way that they can read ssl private keys from the webserver's memory > > (you *did* know they can do that, right? :) > > Erm, no, I didn't. Is that supposed to happen (by design), or is it > just a bug in the PHP interpreter? It sounds like a severe security > problem... If you use mod_php then your process is running with the same uid as the web server, ergo, it can read the memory of the apache process. The php interpreter doesn't have much to do with it, as long as system() and friends are enabled. Matt -- Matthew Johnson
Attachment:
signature.asc
Description: Digital signature
- References:
- How to deal with #402010?
- From: Cajus Pollmeier
- Re: Bug#402010: How to deal with #402010?
- From: sean finney
- Re: Bug#402010: How to deal with #402010?
- From: Cajus Pollmeier
- Re: Bug#402010: How to deal with #402010?
- From: sean finney
- Re: Bug#402010: How to deal with #402010?
- From: Roland Mas
- How to deal with #402010?
- Prev by Date: Re: Bug#402010: How to deal with #402010?
- Next by Date: Re: Second call for votes for the Debian Project Leader Elections 2008
- Previous by thread: Re: Bug#402010: How to deal with #402010?
- Next by thread: Bug#474230: ITP: compiz-switch -- Easily switch Compiz off and on
- Index(es):