On Mon, 20 Aug 2001, Andy Turner wrote:
> On Mon, Aug 20, 2001 at 01:40:30PM +0800, Stas Bekman wrote:
> > On Thu, 16 Aug 2001, Andy Turner wrote:
> > > On Wed, Aug 15, 2001 at 12:54:58PM -0400, Philip Mak wrote:
> > > > 1. A hacker with access to a virtual host on a mod_perl Apache can steal
> > > > the Apache::DBI database handles of the other virtual hosts on that
> > > > Apache. suexec/cgiwrap won't work in mod_perl.
> > >
> > > The simplest answer is to just not use Apache::DBI. Just use DBI
> > > normally. The only draw back is that you don't cache database handles
> > > this way. But in many configurations that isn't an issue.
> >
> > Huh? You can read anything from the memory once you are running in the
> > same process, be it Apache::DBI, DBI or your own raw access module.
>
> Ahh, I was assuming a DBI handle lexically scoped to the handler subroutine,
> sorry about the confusion.
it can be lexically scoped, but it doesn't prevent you from reading from
memory. It's not easy but possible. But things are even simpler, see
below.
> So long as the handle goes away with the connection you're okay.
Your dsn + login/passwd stored in the file are readable by other users,
who are in the same group as the server, so you are *NOT* OK.
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:[EMAIL PROTECTED] http://localhost/ http://eXtropia.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
