On Sun Apr 06 17:32, Roland Mas wrote: > sean finney, 2008-04-05 11:59:31 +0200 : > > [...] > > >> RequestHeader set FooPassword very-secret-credentials > > > > i suspect php users will still be able to find that out, in the same > > way that they can read ssl private keys from the webserver's memory > > (you *did* know they can do that, right? :) > > Erm, no, I didn't. Is that supposed to happen (by design), or is it > just a bug in the PHP interpreter? It sounds like a severe security > problem...
If you use mod_php then your process is running with the same uid as the web server, ergo, it can read the memory of the apache process. The php interpreter doesn't have much to do with it, as long as system() and friends are enabled. Matt -- Matthew Johnson
signature.asc
Description: Digital signature
