Apache leaks sensitive info in PHP phpinfo() calls
Jez Hancock
jez.hancock at munk.nu
Thu Nov 13 02:26:22 PST 2003
Hi,
I wanted to get some opinions on this subject before I submit a PR about
it. I don't know if there are any pitfalls with the 'fix' I suggested
and though it best to run it past people here before submitting. If
there's a better place to post this please let me know (freebsd-ports?).
The send-pr output I was about to send explains everything so I'll just
paste it here:
-snip-
To: FreeBSD-gnats-submit at freebsd.org
From: Jez Hancock <jez.hancock at munk.nu>
Reply-To: Jez Hancock <jez.hancock at munk.nu>
>Submitter-Id: current-users
>Originator: Jez Hancock
>Organization: n/a
>Confidential: no
>Synopsis: Apache httpd leaks environment information in PHP phpinfo() calls
>Severity: non-critical
>Priority: low
>Category: ports
>Class: change-request
>Release: FreeBSD 4.8-STABLE i386
>Environment:
System: FreeBSD users.munk.nu 4.8-STABLE FreeBSD 4.8-STABLE #1: Fri Apr 18 14:38:46 BST 2003 root at users.munk.nu:/usr/obj/usr/src/sys/MUNKBOXEN i386
>Description:
The apache13 port control script /usr/local/sbin/apachectl is used to
control the apache httpd daemon. However the apachectl script does not
start with a clean environment, inheriting the environment of the user
that invokes the script. As a consequence the environment variables set
by the shell of the user that invokes apachectl (usually a UID 0 user)
are visible to users when executing a command such as phpinfo() in the
PHP $_ENV superglobal array.
>How-To-Repeat:
Invoke the apachectl control script as a user who has shell environment
variables set. Browse to a web page served by the httpd that contains a
PHP phpinfo() call and observe the environment of the user in the $_ENV
superglobal array.
>Fix:
Add a single line to the apachectl control script to ensure apache runs
with a clean environment:
*** /usr/local/sbin/apachectl Thu Nov 13 06:59:05 2003
--- /usr/local/sbin/apachectl.bak Thu Nov 13 06:58:54 2003
***************
*** 26,32 ****
#
# the path to your httpd binary, including options if necessary
HTTPD=/usr/local/sbin/httpd
- HTTPD=`echo /usr/bin/env -i $HTTPD`
#
# a command that outputs a formatted text version of the HTML at the
# url given on the command line. Designed for lynx, however other
--- 26,31 ----
-snip-
This appears to work as required, removing any details about the
apachectl-invoking user's environment from the $_ENV array. Are there
any pitfalls of using env in this way though?
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
More information about the freebsd-security
mailing list