Date: Thu, 13 Nov 2003 10:56:06 +0000 From: Jez Hancock <jez.hancock@munk.nu> To: FreeBSD Security List <security@freebsd.org> Subject: Re: Apache leaks sensitive info in PHP phpinfo() calls Message-ID: <20031113105606.GA61022@users.munk.nu> In-Reply-To: <20031113103751.GM453@straylight.oblivion.bg> References: <20031113102619.GB58969@users.munk.nu> <20031113103751.GM453@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 13, 2003 at 12:37:51PM +0200, Peter Pentchev wrote: > On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote: > [snip] > > The apache13 port control script /usr/local/sbin/apachectl is used to > > control the apache httpd daemon. However the apachectl script does not > > start with a clean environment, inheriting the environment of the user > > that invokes the script. As a consequence the environment variables set > > by the shell of the user that invokes apachectl (usually a UID 0 user) > > are visible to users when executing a command such as phpinfo() in the > > PHP $_ENV superglobal array. > [snip] > > HTTPD=/usr/local/sbin/httpd > > - HTTPD=`echo /usr/bin/env -i $HTTPD` > > This would be a nice solution; by the way, the problem is not limited to > PHP - it extends to any and all server-side scripting > components/languages, including plain vanilla CGI executables, mod_perl, > and many more. Yes this is partly why I thought I should ask on some lists first before submitting a PR - for example with mod_perl - I wasn't sure if there was anything that might become broken by completely sanitizing the environment like I have (I don't use mod_perl on my server). > I wonder if this should not be brought up with the Apache developers > though - it is not really FreeBSD-specific, and a fix to the FreeBSD > port would not address the same problem in any of the other environments > that Apache supports :) Again yes! I wasn't sure why some kind of environment cleansing wasn't already done by the apachectl script and was wondering if perhaps I'd missed something - after searching for info on the subject I didn't find a lot of results so thought it was perhaps just me and the way I do things that was the problem :) I'll perhaps shoot off a mail to an apache list as well then. Thanks for the input Peter :) -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031113105606.GA61022>