i've heard (though not confirmed myself) that if php is running as a loadable apache module it is possible to use such a local attack vector to read from the apache parent's memory, and extract tasty morcels such as unencrypted SSL keys. obviously this would have an
I don't know if it's possible but some bugs would allow you indeed to real Apache's local memory. I have no knowledge about if the keys are present there in a form that makes possible to steal them. It is quite easy to protect against that, however - by running PHP as FastCGI module. Which seems to be a good solution for people running untrusted code in context of their PHP servers.
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
