On Mon, 1 Jan 2001, Loyd Goodbar wrote:
> Does Midgard have any security issues (other than the administration
> interface)? Can the knowledge that I use Midgard to generate a website be used
> to break said site? What about using PHP to "break into" Midgard?
>
I've been wondering about this myself, particularly the case where
there are multiple users of the same server. A possible attack (which I
haven't tried):
A user (only with php script access) runs a script that uses gdb to
attach to a child server and dump an image of the process (the php script
run inside Apache). The hacker then examines the process image for the
database names and passwords.
Are there other ways to access the process image besides a debugger
(i.e. something else to leave out of a chroot environment), particularly
using only PHP? I don't see any functions for dynamically loading code
into PHP from user code, so I _think_ you would have to go outside php to
do it. But I'm not a security expert, just slightly paranoid,
particularly now that we're going to try giving script access to
customers. (and probably Midgard use as well)
Congrats on getting to stable 1.4. One request - can you add to the
install docs cases where different virtual hosts use different databases?
(I think you said this capability was added a while back).
Lynn
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
