Re: Apache leaks sensitive info in PHP phpinfo() calls

From: Peter Pentchev (roam_at_ringlet.net)
Date: 11/13/03

Next message: Jez Han***: "Re: Apache leaks sensitive info in PHP phpinfo() calls"

Previous message: Jez Han***: "Apache leaks sensitive info in PHP phpinfo() calls"
In reply to: Jez Han***: "Apache leaks sensitive info in PHP phpinfo() calls"
Next in thread: Jez Han***: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
Reply: Jez Han***: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 13 Nov 2003 12:37:51 +0200
To: FreeBSD Security List <security@freebsd.org>

On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Han*** wrote:
> Hi,
>
> I wanted to get some opinions on this subject before I submit a PR about
> it. I don't know if there are any pitfalls with the 'fix' I suggested
> and though it best to run it past people here before submitting. If
> there's a better place to post this please let me know (freebsd-ports?).
>
> The send-pr output I was about to send explains everything so I'll just
> paste it here:
[snip]
> The apache13 port control script /usr/local/sbin/apachectl is used to
> control the apache httpd daemon. However the apachectl script does not
> start with a clean environment, inheriting the environment of the user
> that invokes the script. As a consequence the environment variables set
> by the shell of the user that invokes apachectl (usually a UID 0 user)
> are visible to users when executing a command such as phpinfo() in the
> PHP $_ENV superglobal array.
[snip]
> HTTPD=/usr/local/sbin/httpd
> - HTTPD=`echo /usr/bin/env -i $HTTPD`

This would be a nice solution; by the way, the problem is not limited to
PHP - it extends to any and all server-side scripting
components/languages, including plain vanilla CGI executables, mod_perl,
and many more.

I wonder if this should not be brought up with the Apache developers
though - it is not really FreeBSD-specific, and a fix to the FreeBSD
port would not address the same problem in any of the other environments
that Apache supports :)

G'luck,
Peter

-- 
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
.siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI

application/pgp-signature attachment: stored

Next message: Jez Han***: "Re: Apache leaks sensitive info in PHP phpinfo() calls"

Previous message: Jez Han***: "Apache leaks sensitive info in PHP phpinfo() calls"
In reply to: Jez Han***: "Apache leaks sensitive info in PHP phpinfo() calls"
Next in thread: Jez Han***: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
Reply: Jez Han***: "Re: Apache leaks sensitive info in PHP phpinfo() calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]