Posted by Imre RAD on Jan 27

In suEXEC_Daemon mode of the LiteSpeed web server spawns one PHP master
process during startup. It is running as root and accepts LSAPI
requests, which in turn specify what user under the script should run.
The LSAPI request is authenticated with a MAC, which is based on
preshared random key between the the PHP and the web server.

We found, the Litespeed PHP SAPI module did not clear this secret in its
child processes so it was available in the…