From owner-freebsd-security@FreeBSD.ORG Thu Nov 13 04:40:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A80FA16A4CE for ; Thu, 13 Nov 2003 04:40:09 -0800 (PST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C83B43F3F for ; Thu, 13 Nov 2003 04:40:08 -0800 (PST) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pcwin002.win.tue.nl (orb_rules@localhost [127.0.0.1]) by pcwin002.win.tue.nl (8.12.10/8.12.10) with ESMTP id hADCejqv045492 for ; Thu, 13 Nov 2003 13:40:45 +0100 (CET) (envelope-from stijn@pcwin002.win.tue.nl) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.12.10/8.12.10/Submit) id hADCejDW045490 for security@freebsd.org; Thu, 13 Nov 2003 13:40:45 +0100 (CET) (envelope-from stijn) Date: Thu, 13 Nov 2003 13:40:45 +0100 From: Stijn Hoop To: FreeBSD Security List Message-ID: <20031113124045.GG8993@pcwin002.win.tue.nl> References: <20031113102619.GB58969@users.munk.nu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="E/DnYTRukya0zdZ1" Content-Disposition: inline In-Reply-To: <20031113102619.GB58969@users.munk.nu> User-Agent: Mutt/1.4.1i X-Bright-Idea: Let's abolish HTML mail! Subject: Re: Apache leaks sensitive info in PHP phpinfo() calls X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 12:40:09 -0000 --E/DnYTRukya0zdZ1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote: > I wanted to get some opinions on this subject before I submit a PR about > it. I don't know if there are any pitfalls with the 'fix' I suggested > and though it best to run it past people here before submitting. If > there's a better place to post this please let me know (freebsd-ports?). FWIW, I have been doing a variation on this for a long time, no ill effects. I also think it is unwise to propagate every environment variable, but the solution should be implemented by the Apache people I think. Just a quick 'me too', --Stijn --=20 This sentence contradicts itself -- no actually it doesn't. -- Hofstadter --E/DnYTRukya0zdZ1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/s3vNY3r/tLQmfWcRApi+AJ9EWGzzZ9L/qWqO4d9zhfSpcogUQgCdGHZr GUxiJgrLRYc8vTKEQp1E75s= =kbI6 -----END PGP SIGNATURE----- --E/DnYTRukya0zdZ1--