-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
PHP APC is an opcode cache for PHP, or, as the developers say: "APC is a free, open, and robust framework for caching and optimizing PHP intermediate code."
While at least some of its developers do not consider this an issue (based on the assumption that "it is pretty well understood that opcode caches need a better defined environment than the chaos of a general mass vhosting ISP"), it is not documented and not neccessarily known that PHP APC does not provide safety measures against local attacks.
According to one of the developers, in a multi-user environment, attacks that users can currently carry out against other local users are filling the user cache constantly delete the cache both of which may lead to a DoS situation.
In addition, there's a cross site scripting issue which comes into play when you have local users which are able to create files and cause those to be cached, and a server admin later visits the apc.php web interface which comes with PHP APC. See below for further information on this specific issue.
Cross Site Scripting vulnerability in PHP-APC
PHP APC 3.1.1, 3.0.19 and probably earlier versions of PHP-APC are subject to a cross site scripting vulnerability which can be triggered by local users.
This issue is caused by insufficient validation of path and file names which are displayed to an authenticated admin when viewing the 'System Cache Entries' and 'User Cache Entries' sections on the apc.php web management interface.
This issue can be exploited in all environments which different access levels for the PHP APC admin and other users with local write permissions apply.
This issue has been fixed in PHP APC CVS. http://cvs.php.net/viewvc.cgi/pecl/apc/apc.php?r1=3.73&r2=3.74
Report by Moritz Naumann, Naumann IT Consulting & Services, Berlin, Germany. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)
iEYEAREKAAYFAklL9CcACgkQn6GkvSd/BgzKzwCaApHUNViTrP37L07R5PNYd91x TEMAn3wlCWIv0zLdB0mPLJ+irNnPkeJk =URtO -----END PGP SIGNATURE-----