On Sunday 06 April 2008 05:32:39 pm Roland Mas wrote:
> > i suspect php users will still be able to find that out, in the same
> > way that they can read ssl private keys from the webserver's memory
> > (you *did* know they can do that, right?
> Erm, no, I didn't. Is that supposed to happen (by design), or is it
by apache's design, any loaded module (like mod_php, mod_python, etc) can read
the memory contents of the apache process. i think they make the assumption
that since the admin won't intentionally load an evil apache module that this
isn't a problem. however, if one of the modules (via vulnerability or poor
design) allows such access, then you're still in this situation.
they (apache devs) could of course make this a non-issue by compartmentalizing
things (i.e. have a seperate process/uid for doing ssl encoding/decoding),
but my guess is that this was either not a concern and/or too much work
and/or too much performance cost to be done the Right Way.
> just a bug in the PHP interpreter? It sounds like a severe security
the... ehem... "history" of the php interpreter is that it is often easy to
leverage small bugs and design flaws to get this information. however, i
don't think this is php-specific. if someone has a system configured with
mod_python that i could play with, i might be able to verify that