Comment 8 for bug 11223

* Martin Schulze:

> You can only exploit the bug for which you provided a backport (didn't
> the patch apply well?) if you write a malicious php script.
> That's not an issue. You can do more with a malicious php script
> with less effort.

Unfortunately, PHP provides a feature called "safe mode". When turned
on, PHP makes the promise that PHP scripts are sandboxed. pack() and
unpack() are probably available in safe mode, too. (I haven't checked
this. Hans?)

Although I firmly believe that the "safe mode" feature cannot work as
advertised (simply because most C libraries that are accessible from
PHP code by default were never designed to be used in this fashion,
i.e. by untrusted callers), it's nevertheless an official feature of
PHP. Some of our users rely on it, so at least some form of advisory
is required.

A good advice (which is implemented by sufficiently clueful web
hosters) is running PHP scripts from different customers under
different user IDs. Of course, there's a performance penalty, and
it's hard to set up correctly: You need a UID transition at one point
because you can't run multiple Apache processes with different user
IDs unless you use IP-based virtual hosts.