Apache leaks sensitive info in PHP phpinfo() calls
Peter Pentchev
roam at ringlet.net
Thu Nov 13 02:37:58 PST 2003
On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote:
> Hi,
>
> I wanted to get some opinions on this subject before I submit a PR about
> it. I don't know if there are any pitfalls with the 'fix' I suggested
> and though it best to run it past people here before submitting. If
> there's a better place to post this please let me know (freebsd-ports?).
>
> The send-pr output I was about to send explains everything so I'll just
> paste it here:
[snip]
> The apache13 port control script /usr/local/sbin/apachectl is used to
> control the apache httpd daemon. However the apachectl script does not
> start with a clean environment, inheriting the environment of the user
> that invokes the script. As a consequence the environment variables set
> by the shell of the user that invokes apachectl (usually a UID 0 user)
> are visible to users when executing a command such as phpinfo() in the
> PHP $_ENV superglobal array.
[snip]
> HTTPD=/usr/local/sbin/httpd
> - HTTPD=`echo /usr/bin/env -i $HTTPD`
This would be a nice solution; by the way, the problem is not limited to
PHP - it extends to any and all server-side scripting
components/languages, including plain vanilla CGI executables, mod_perl,
and many more.
I wonder if this should not be brought up with the Apache developers
though - it is not really FreeBSD-specific, and a fix to the FreeBSD
port would not address the same problem in any of the other environments
that Apache supports :)
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at sbnd.net roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
.siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031113/cd2a47ad/attachment.bin
More information about the freebsd-security
mailing list