4 Feb
2009
4 Feb
'09
6:20 p.m.
On 4-Feb-09, at 12:00 PM, Morbus Iff wrote:
This isn't on the same mentality/vein as "well, we have to *trust* that the MySQL database is secure too, don't we?", because databases almost always get their own username and password - but the Apache webserver is most often run as a single user, without suexec'ing.
Since the web server can read settings.php, presumably the SQL DB password could be extracted as well. So the same user module attack could be executed regardless of SQLite? --Andrew