[Bug 1335652] Re: phpinfo() Type Confusion Information Leak Vulnerability
Seth Arnold
1335652 at bugs.launchpad.net
Mon Jun 30 23:14:42 UTC 2014
Thanks for reporting this issue; however, I do not believe this is a
security fix, rather a simple reliability fix.
he PHP team has been clear that the interpreter is not designed nor
intended to provide any kind of security layer and scripts executing in
the interpreter should be considered to have full, legitimate, access to
everything that is available to the PHP interpreter.
In this case that means that TLS private keys available to mod_ssl are
intentionally available to all PHP scripts running via mod_php. Any
administrator that wants to keep TLS private keys away from PHP must use
a mechanism such as CGI, FastCGI, or PHP FPM to execute the scripts in a
different address space and with different privileges.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/1335652
Title:
phpinfo() Type Confusion Information Leak Vulnerability
To manage notifications about this bug go to:
https://bugs.launchpad.net/php/+bug/1335652/+subscriptions
More information about the Ubuntu-server-bugs
mailing list