Apache leaks sensitive info in PHP phpinfo() calls

Andrew McNaughton andrew at scoop.co.nz
Thu Nov 13 04:31:05 PST 2003 

On Thu, 13 Nov 2003, Jez Hancock wrote:

> Date: Thu, 13 Nov 2003 10:56:06 +0000
> From: Jez Hancock <jez.hancock at munk.nu>
> To: FreeBSD Security List <security at freebsd.org>
> Subject: Re: Apache leaks sensitive info in PHP phpinfo() calls
>
> On Thu, Nov 13, 2003 at 12:37:51PM +0200, Peter Pentchev wrote:
> > On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote:
> > [snip]
> > > The apache13 port control script /usr/local/sbin/apachectl is used to
> > > control the apache httpd daemon.  However the apachectl script does not
> > > start with a clean environment, inheriting the environment of the user
> > > that invokes the script.  As a consequence the environment variables set
> > > by the shell of the user that invokes apachectl (usually a UID 0 user)
> > > are visible to users when executing a command such as phpinfo() in the
> > > PHP $_ENV superglobal array.
> > [snip]
> > >   HTTPD=/usr/local/sbin/httpd
> > > - HTTPD=`echo /usr/bin/env -i $HTTPD`
> >
> > This would be a nice solution; by the way, the problem is not limited to
> > PHP - it extends to any and all server-side scripting
> > components/languages, including plain vanilla CGI executables, mod_perl,
> > and many more.
> Yes this is partly why I thought I should ask on some lists first before
> submitting a PR - for example with mod_perl - I wasn't sure if there was
> anything that might become broken by completely sanitizing the
> environment like I have (I don't use mod_perl on my server).

There are a number of very useful things you can do by passing environment
variables to apache.  eg setting PERL5_LIBS.  These things can often be
done as well from within apache's httpd.conf, but there will be a lot of
installations out there that will break in various ways when you block
environment variables.

Not necessarily enough reason not to make the change, but something to be
aware of and to alert people to.  And perhaps enough to give people time
to adapt to.

I suspect it would be better to have the apache executable clean the
environment or not depending on a configuration directive.  This should
probably default to the current behaviour for a while with notification
that this will change in future.

Andrew


--

No added Sugar.  Not tested on animals.  May contain traces of Nuts.  If
irritation occurs, discontinue use.

-------------------------------------------------------------------
Andrew McNaughton           Currently in Boomer Bay, Tasmania
andrew at scoop.co.nz
Mobile: +61 422 753 792     http://staff.scoop.co.nz/andrew/cv.doc

More information about the freebsd-security mailing list