retitle 287897 phpmyadmin: /etc/phpmyadmin/apache.conf should disable suPHP severity wishlist thanks
Am Sonntag, 9. Januar 2005 21:42 schrieben Sie: > The suPHP for phpmyadmin is a bad idea at all. Even if the scripts would be > owned by other user, i.e. phpmyadmin:phpmyadmin, the files can be > overwrited by itself. > > I.e.: > > Somebody find new new security flaw in phpmyadmin and can run any PHP code > with server's privileges. In this case it is phpmyadmin user privileges. > Then he can overwrite phpmyadmin's scripts as far as this user is owner of > these scripts. > > I think the suPHP should never ever run the phpmyadmin files! Of course, than it shouldn't be used for any system applications as you stated before. I didn't think of that; closing this bug. There is an Apache directive to enable/disable suPHP in global or VirtualHost context. Therefore, I wish the following to be added to one of the <Directory> sections in /etc/phpmyadmin/apache.conf (if this is possible: according to http://www.suphp.org/Documentation-Module-Configuration.en.html, it is only allowed in "global" context and in VirtualHosts). Thank you! <IfModule mod_suphp.c> # Disable suPHP for security reasons suPHP_Engine off </IfModule> --    Peter Thomassen â Steigerwaldstr. 4 â 97076 WÃrzburg â Germany     Âhttp://www.peter-thomassen.de/ â [EMAIL PROTECTED]        Âfon +49-931-2705351 â mobile +49-160-6789161
pgpF2LWx48R2s.pgp
Description: PGP signature
