Apache leaks sensitive info in PHP phpinfo() calls
From: Jez Hancock (jez.hancock_at_munk.nu)
Date: 11/13/03
- Previous message: unix_list: "Re: SSHD password authentication issue in 4.9-RELEASE and 5.1-RELEASE"
- Next in thread: Peter Pentchev: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
- Reply: Peter Pentchev: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
- Reply: Stijn Hoop: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Nov 2003 10:26:19 +0000 To: FreeBSD Security List <security@freebsd.org>
Hi,
I wanted to get some opinions on this subject before I submit a PR about
it. I don't know if there are any pitfalls with the 'fix' I suggested
and though it best to run it past people here before submitting. If
there's a better place to post this please let me know (freebsd-ports?).
The send-pr output I was about to send explains everything so I'll just
paste it here:
-snip-
To: FreeBSD-gnats-submit@freebsd.org
From: Jez Han*** <jez.han***@munk.nu>
Reply-To: Jez Han*** <jez.han***@munk.nu>
>Submitter-Id: current-users
>Originator: Jez Han***
>Organization: n/a
>Confidential: no
>Synopsis: Apache httpd leaks environment information in PHP phpinfo() calls
>Severity: non-critical
>Priority: low
>Category: ports
>Class: change-request
>Release: FreeBSD 4.8-STABLE i386
>Environment:
System: FreeBSD users.munk.nu 4.8-STABLE FreeBSD 4.8-STABLE #1: Fri Apr 18 14:38:46 BST 2003 root@users.munk.nu:/usr/obj/usr/src/sys/MUNKBOXEN i386
>Description:
The apache13 port control script /usr/local/sbin/apachectl is used to
control the apache httpd daemon. However the apachectl script does not
start with a clean environment, inheriting the environment of the user
that invokes the script. As a consequence the environment variables set
by the shell of the user that invokes apachectl (usually a UID 0 user)
are visible to users when executing a command such as phpinfo() in the
PHP $_ENV superglobal array.
>How-To-Repeat:
Invoke the apachectl control script as a user who has shell environment
variables set. Browse to a web page served by the httpd that contains a
PHP phpinfo() call and observe the environment of the user in the $_ENV
superglobal array.
>Fix:
Add a single line to the apachectl control script to ensure apache runs
with a clean environment:
*** /usr/local/sbin/apachectl Thu Nov 13 06:59:05 2003
--- /usr/local/sbin/apachectl.bak Thu Nov 13 06:58:54 2003
***************
*** 26,32 ****
#
# the path to your httpd binary, including options if necessary
HTTPD=/usr/local/sbin/httpd
- HTTPD=`echo /usr/bin/env -i $HTTPD`
#
# a command that outputs a formatted text version of the HTML at the
# url given on the command line. Designed for lynx, however other
--- 26,31 ----
-snip-
This appears to work as required, removing any details about the
apachectl-invoking user's environment from the $_ENV array. Are there
any pitfalls of using env in this way though?
-- Jez Han*** - System Administrator / PHP Developer http://munk.nu/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: unix_list: "Re: SSHD password authentication issue in 4.9-RELEASE and 5.1-RELEASE"
- Next in thread: Peter Pentchev: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
- Reply: Peter Pentchev: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
- Reply: Stijn Hoop: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
