Tim Hasson writes: > I am developing a web based interface on it using php/mysql [...]
> My worst fear is of a exploit like the recent SSL v2 vulnerability > where an unautheticated user, or an anonymous user, could just simply > exploit the apache process, and use it as a step stone. You're worried about an obscure SSL vulnerability when you're using PHP? Unless you're planning on a dedicated mail server with no user accounts having webspace, your setup will be wide open. Without an add-giving the eqvuivalent behaviour of suexec, you need to make any directories and files that you need to modify readable and writeable by the httpd user. So anybody with web space on the server can write some PHP to read and/or trash other people's mail. Being worried about obscure attacks when you're using PHP is like worrying about somebody 100 yards away striking a match when your clothes are on fire. -- Paul Allen Softflare Support
