From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 07:15:15 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74B6416A4D2 for ; Thu, 13 Nov 2003 07:15:15 -0800 (PST) Received: from mail1.firstlink.com (mail1.firstlink.com [66.37.141.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1683443FBF for ; Thu, 13 Nov 2003 07:15:14 -0800 (PST) (envelope-from dvm@firstlink.com) Received: from shrex.asp.firstlink.com (shrex.firstlink.com [66.37.141.10]) by mail1.firstlink.com (Postfix) with ESMTP id 4C5C1126215 for ; Thu, 13 Nov 2003 08:15:13 -0700 (MST) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message Date: Thu, 13 Nov 2003 08:15:13 -0700 Message-ID: <6633DBDE6F5ED64D9D6AF3264AEE89147B29A4@shrex.asp.firstlink.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Apache leaks sensitive info in PHP phpinfo() calls Thread-Index: AcOpumLKJZ+oThS6QiKW/z1/VjR+2gAPTT6A From: "Dan Vande More" To: "Jez Hancock" , "FreeBSD ISP List" Subject: RE: Apache leaks sensitive info in PHP phpinfo() calls X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 15:15:15 -0000 Sometimes httpd/php needs shell environment variables, especially when = working with Oracle. In otherwords, that's a feature, not a bug. If you have a hosting enviroment, I recommend you use these in your = /usr/local/lib/php.ini: disable_functions =3D = exec,passthru,proc_close,proc_open,shell_exec,system,phpinfo -Dan Vande More -----Original Message----- From: Jez Hancock [mailto:jez.hancock@munk.nu] Sent: Thursday, November 13, 2003 12:46 AM To: FreeBSD ISP List Subject: Apache leaks sensitive info in PHP phpinfo() calls Hi, Recently posted this to freebsd-questions but thought it might be suitable subject for -isp. I wanted to get some opinions on this subject before I submit a PR about it. I don't know if there are any pitfalls with the 'fix' I suggested and though it best to run it past people here before submitting. If there's a better place to post this please let me know (freebsd-ports?). The send-pr output I was about to send explains everything so I'll just paste it here: -snip- To: FreeBSD-gnats-submit@freebsd.org From: Jez Hancock Reply-To: Jez Hancock >Submitter-Id: current-users >Originator: Jez Hancock >Organization: n/a >Confidential: no >Synopsis: Apache httpd leaks environment information in PHP = phpinfo() calls >Severity: non-critical >Priority: low >Category: ports >Class: change-request >Release: FreeBSD 4.8-STABLE i386 >Environment: System: FreeBSD users.munk.nu 4.8-STABLE FreeBSD 4.8-STABLE #1: Fri Apr = 18 14:38:46 BST 2003 root@users.munk.nu:/usr/obj/usr/src/sys/MUNKBOXEN = i386 >Description: The apache13 port control script /usr/local/sbin/apachectl is used to control the apache httpd daemon. However the apachectl script does not start with a clean environment, inheriting the environment of the user that invokes the script. As a consequence the environment variables set by the shell of the user that invokes apachectl (usually a UID 0 user) are visible to users when executing a command such as phpinfo() in the PHP $_ENV superglobal array. >How-To-Repeat: Invoke the apachectl control script as a user who has shell environment variables set. Browse to a web page served by the httpd that contains a PHP phpinfo() call and observe the environment of the user in the $_ENV superglobal array. >Fix: Add a single line to the apachectl control script to ensure apache runs with a clean environment: *** /usr/local/sbin/apachectl Thu Nov 13 06:59:05 2003 --- /usr/local/sbin/apachectl.bak Thu Nov 13 06:58:54 2003 *************** *** 26,32 **** # # the path to your httpd binary, including options if necessary HTTPD=3D/usr/local/sbin/httpd - HTTPD=3D`echo /usr/bin/env -i $HTTPD` # # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other --- 26,31 ---- -snip- This appears to work as required, removing any details about the apachectl-invoking user's environment from the $_ENV array. Are there any pitfalls of using env in this way though? --=20 Jez Hancock - System Administrator / PHP Developer http://munk.nu/ _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"