Hi Everybody, We have a suPHP shared hosting setup but it is vulnerable to session poisoning:
http://ha.xxor.se/2011/09/local-session-poisoning-in-php-part-1.html Even when running suPHP and a system user for each site, the system is vulnerable. An easy fix would be if suPHP would only read sessions that are owned by the same user as the script owner, and refused to read session files made by others. Can this be set up? Another solution is to generate suhosin crypt keys for each user, but this is hard to do as we are going to mess with the php.ini files of each user, which may break their configuration. Sune Beck
_______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
