From owner-freebsd-security@FreeBSD.ORG Thu Nov 13 02:56:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6D1F16A4CE for ; Thu, 13 Nov 2003 02:56:08 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id B572743FE0 for ; Thu, 13 Nov 2003 02:56:07 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD 4.8) id 1AKF8w-000G53-JT for security@freebsd.org; Thu, 13 Nov 2003 10:56:06 +0000 Date: Thu, 13 Nov 2003 10:56:06 +0000 From: Jez Hancock To: FreeBSD Security List Message-ID: <20031113105606.GA61022@users.munk.nu> Mail-Followup-To: FreeBSD Security List References: <20031113102619.GB58969@users.munk.nu> <20031113103751.GM453@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031113103751.GM453@straylight.oblivion.bg> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: Apache leaks sensitive info in PHP phpinfo() calls X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 10:56:08 -0000 On Thu, Nov 13, 2003 at 12:37:51PM +0200, Peter Pentchev wrote: > On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote: > [snip] > > The apache13 port control script /usr/local/sbin/apachectl is used to > > control the apache httpd daemon. However the apachectl script does not > > start with a clean environment, inheriting the environment of the user > > that invokes the script. As a consequence the environment variables set > > by the shell of the user that invokes apachectl (usually a UID 0 user) > > are visible to users when executing a command such as phpinfo() in the > > PHP $_ENV superglobal array. > [snip] > > HTTPD=/usr/local/sbin/httpd > > - HTTPD=`echo /usr/bin/env -i $HTTPD` > > This would be a nice solution; by the way, the problem is not limited to > PHP - it extends to any and all server-side scripting > components/languages, including plain vanilla CGI executables, mod_perl, > and many more. Yes this is partly why I thought I should ask on some lists first before submitting a PR - for example with mod_perl - I wasn't sure if there was anything that might become broken by completely sanitizing the environment like I have (I don't use mod_perl on my server). > I wonder if this should not be brought up with the Apache developers > though - it is not really FreeBSD-specific, and a fix to the FreeBSD > port would not address the same problem in any of the other environments > that Apache supports :) Again yes! I wasn't sure why some kind of environment cleansing wasn't already done by the apachectl script and was wondering if perhaps I'd missed something - after searching for info on the subject I didn't find a lot of results so thought it was perhaps just me and the way I do things that was the problem :) I'll perhaps shoot off a mail to an apache list as well then. Thanks for the input Peter :) -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/