Apache leaks sensitive info in PHP phpinfo() calls

Jez Hancock jez.hancock at munk.nu
Thu Nov 13 02:26:22 PST 2003 

Hi,

I wanted to get some opinions on this subject before I submit a PR about
it.  I don't know if there are any pitfalls with the 'fix' I suggested
and though it best to run it past people here before submitting.  If
there's a better place to post this please let me know (freebsd-ports?).

The send-pr output I was about to send explains everything so I'll just
paste it here:

-snip-
To: FreeBSD-gnats-submit at freebsd.org
From: Jez Hancock <jez.hancock at munk.nu>
Reply-To: Jez Hancock <jez.hancock at munk.nu>

>Submitter-Id:  current-users
>Originator:    Jez Hancock
>Organization:  n/a
>Confidential:  no
>Synopsis:      Apache httpd leaks environment information in PHP phpinfo() calls
>Severity:      non-critical
>Priority:      low
>Category:      ports
>Class:         change-request
>Release:       FreeBSD 4.8-STABLE i386
>Environment:
System: FreeBSD users.munk.nu 4.8-STABLE FreeBSD 4.8-STABLE #1: Fri Apr 18 14:38:46 BST 2003 root at users.munk.nu:/usr/obj/usr/src/sys/MUNKBOXEN i386

>Description:
The apache13 port control script /usr/local/sbin/apachectl is used to
control the apache httpd daemon.  However the apachectl script does not
start with a clean environment, inheriting the environment of the user
that invokes the script.  As a consequence the environment variables set
by the shell of the user that invokes apachectl (usually a UID 0 user)
are visible to users when executing a command such as phpinfo() in the
PHP $_ENV superglobal array.

>How-To-Repeat:
Invoke the apachectl control script as a user who has shell environment
variables set.  Browse to a web page served by the httpd that contains a
PHP phpinfo() call and observe the environment of the user in the $_ENV
superglobal array.

>Fix:
Add a single line to the apachectl control script to ensure apache runs
with a clean environment:

*** /usr/local/sbin/apachectl   Thu Nov 13 06:59:05 2003
--- /usr/local/sbin/apachectl.bak       Thu Nov 13 06:58:54 2003
***************
*** 26,32 ****
  #
  # the path to your httpd binary, including options if necessary
  HTTPD=/usr/local/sbin/httpd
- HTTPD=`echo /usr/bin/env -i $HTTPD`
  #
  # a command that outputs a formatted text version of the HTML at the
  # url given on the command line.  Designed for lynx, however other
--- 26,31 ----
-snip-

This appears to work as required, removing any details about the
apachectl-invoking user's environment from the $_ENV array.  Are there
any pitfalls of using env in this way though?

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/

More information about the freebsd-security mailing list