Date: Fri, 14 Nov 2003 01:30:59 +1300 (NZDT) From: Andrew McNaughton <andrew@scoop.co.nz> To: Jez Hancock <jez.hancock@munk.nu> Cc: FreeBSD Security List <security@freebsd.org> Subject: Re: Apache leaks sensitive info in PHP phpinfo() calls Message-ID: <20031114011226.O10854@a2.scoop.co.nz> In-Reply-To: <20031113105606.GA61022@users.munk.nu> References: <20031113102619.GB58969@users.munk.nu> <20031113103751.GM453@straylight.oblivion.bg> <20031113105606.GA61022@users.munk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 13 Nov 2003, Jez Hancock wrote: > Date: Thu, 13 Nov 2003 10:56:06 +0000 > From: Jez Hancock <jez.hancock@munk.nu> > To: FreeBSD Security List <security@freebsd.org> > Subject: Re: Apache leaks sensitive info in PHP phpinfo() calls > > On Thu, Nov 13, 2003 at 12:37:51PM +0200, Peter Pentchev wrote: > > On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote: > > [snip] > > > The apache13 port control script /usr/local/sbin/apachectl is used to > > > control the apache httpd daemon. However the apachectl script does not > > > start with a clean environment, inheriting the environment of the user > > > that invokes the script. As a consequence the environment variables set > > > by the shell of the user that invokes apachectl (usually a UID 0 user) > > > are visible to users when executing a command such as phpinfo() in the > > > PHP $_ENV superglobal array. > > [snip] > > > HTTPD=/usr/local/sbin/httpd > > > - HTTPD=`echo /usr/bin/env -i $HTTPD` > > > > This would be a nice solution; by the way, the problem is not limited to > > PHP - it extends to any and all server-side scripting > > components/languages, including plain vanilla CGI executables, mod_perl, > > and many more. > Yes this is partly why I thought I should ask on some lists first before > submitting a PR - for example with mod_perl - I wasn't sure if there was > anything that might become broken by completely sanitizing the > environment like I have (I don't use mod_perl on my server). There are a number of very useful things you can do by passing environment variables to apache. eg setting PERL5_LIBS. These things can often be done as well from within apache's httpd.conf, but there will be a lot of installations out there that will break in various ways when you block environment variables. Not necessarily enough reason not to make the change, but something to be aware of and to alert people to. And perhaps enough to give people time to adapt to. I suspect it would be better to have the apache executable clean the environment or not depending on a configuration directive. This should probably default to the current behaviour for a while with notification that this will change in future. Andrew -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Currently in Boomer Bay, Tasmania andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031114011226.O10854>