From owner-freebsd-isp@FreeBSD.ORG Wed Nov 12 23:46:16 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33E1516A4CE for ; Wed, 12 Nov 2003 23:46:16 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D2B943FE1 for ; Wed, 12 Nov 2003 23:46:15 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD 4.8) id 1AKCBC-000DdX-2c for freebsd-isp@freebsd.org; Thu, 13 Nov 2003 07:46:14 +0000 Date: Thu, 13 Nov 2003 07:46:14 +0000 From: Jez Hancock To: FreeBSD ISP List Message-ID: <20031113074614.GD48330@users.munk.nu> Mail-Followup-To: FreeBSD ISP List Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Apache leaks sensitive info in PHP phpinfo() calls X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 07:46:16 -0000 Hi, Recently posted this to freebsd-questions but thought it might be suitable subject for -isp. I wanted to get some opinions on this subject before I submit a PR about it. I don't know if there are any pitfalls with the 'fix' I suggested and though it best to run it past people here before submitting. If there's a better place to post this please let me know (freebsd-ports?). The send-pr output I was about to send explains everything so I'll just paste it here: -snip- To: FreeBSD-gnats-submit@freebsd.org From: Jez Hancock Reply-To: Jez Hancock >Submitter-Id: current-users >Originator: Jez Hancock >Organization: n/a >Confidential: no >Synopsis: Apache httpd leaks environment information in PHP phpinfo() calls >Severity: non-critical >Priority: low >Category: ports >Class: change-request >Release: FreeBSD 4.8-STABLE i386 >Environment: System: FreeBSD users.munk.nu 4.8-STABLE FreeBSD 4.8-STABLE #1: Fri Apr 18 14:38:46 BST 2003 root@users.munk.nu:/usr/obj/usr/src/sys/MUNKBOXEN i386 >Description: The apache13 port control script /usr/local/sbin/apachectl is used to control the apache httpd daemon. However the apachectl script does not start with a clean environment, inheriting the environment of the user that invokes the script. As a consequence the environment variables set by the shell of the user that invokes apachectl (usually a UID 0 user) are visible to users when executing a command such as phpinfo() in the PHP $_ENV superglobal array. >How-To-Repeat: Invoke the apachectl control script as a user who has shell environment variables set. Browse to a web page served by the httpd that contains a PHP phpinfo() call and observe the environment of the user in the $_ENV superglobal array. >Fix: Add a single line to the apachectl control script to ensure apache runs with a clean environment: *** /usr/local/sbin/apachectl Thu Nov 13 06:59:05 2003 --- /usr/local/sbin/apachectl.bak Thu Nov 13 06:58:54 2003 *************** *** 26,32 **** # # the path to your httpd binary, including options if necessary HTTPD=/usr/local/sbin/httpd - HTTPD=`echo /usr/bin/env -i $HTTPD` # # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other --- 26,31 ---- -snip- This appears to work as required, removing any details about the apachectl-invoking user's environment from the $_ENV array. Are there any pitfalls of using env in this way though? -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/