Tim Hasson writes:

> I am developing a web based interface on it using php/mysql

> My worst fear is of a exploit like the recent SSL v2 vulnerability
> where an unautheticated user, or an anonymous user, could just simply 
> exploit the apache process, and use it as a step stone.

You're worried about an obscure SSL vulnerability when you're using
PHP?  Unless you're planning on a dedicated mail server with no user
accounts having webspace, your setup will be wide open.  Without an
add-giving the eqvuivalent behaviour of suexec, you need to make any
directories and files that you need to modify readable and writeable by
the httpd user.  So anybody with web space on the server can write some
PHP to read and/or trash other people's mail.

Being worried about obscure attacks when you're using PHP is like
worrying about somebody 100 yards away striking a match when your
clothes are on fire.

Paul Allen
Softflare Support

Reply via email to