Apache leaks sensitive info in PHP phpinfo() calls

[Jez Hancock]

On Thu, Nov 13, 2003 at 12:37:51PM +0200, Peter Pentchev wrote:
> On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote:
> [snip]
> > The apache13 port control script /usr/local/sbin/apachectl is used to
> > control the apache httpd daemon.  However the apachectl script does not
> > start with a clean environment, inheriting the environment of the user
> > that invokes the script.  As a consequence the environment variables set
> > by the shell of the user that invokes apachectl (usually a UID 0 user)
> > are visible to users when executing a command such as phpinfo() in the
> > PHP $_ENV superglobal array.
> [snip]
> >   HTTPD=/usr/local/sbin/httpd
> > - HTTPD=`echo /usr/bin/env -i $HTTPD`
> 
> This would be a nice solution; by the way, the problem is not limited to
> PHP - it extends to any and all server-side scripting
> components/languages, including plain vanilla CGI executables, mod_perl,
> and many more.
Yes this is partly why I thought I should ask on some lists first before
submitting a PR - for example with mod_perl - I wasn't sure if there was
anything that might become broken by completely sanitizing the
environment like I have (I don't use mod_perl on my server).

> I wonder if this should not be brought up with the Apache developers
> though - it is not really FreeBSD-specific, and a fix to the FreeBSD
> port would not address the same problem in any of the other environments
> that Apache supports :)
Again yes!  I wasn't sure why some kind of environment cleansing wasn't
already done by the apachectl script and was wondering if perhaps I'd missed
something - after searching for info on the subject I didn't find a lot
of results so thought it was perhaps just me and the way I do things
that was the problem :)

I'll perhaps shoot off a mail to an apache list as well then.  Thanks
for the input Peter :)

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/