|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Apache leaks sensitive info in PHP phpinfo() calls
From: Jez Hancock (jez.hancock
munk.nu)
Date: Thu Nov 13 2003 - 04:56:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Nov 13, 2003 at 12:37:51PM +0200, Peter Pentchev wrote:
> On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote:
> [snip]
> > The apache13 port control script /usr/local/sbin/apachectl is used to
> > control the apache httpd daemon. However the apachectl script does not
> > start with a clean environment, inheriting the environment of the user
> > that invokes the script. As a consequence the environment variables set
> > by the shell of the user that invokes apachectl (usually a UID 0 user)
> > are visible to users when executing a command such as phpinfo() in the
> > PHP $_ENV superglobal array.
> [snip]
> > HTTPD=/usr/local/sbin/httpd
> > - HTTPD=`echo /usr/bin/env -i $HTTPD`
>
> This would be a nice solution; by the way, the problem is not limited to
> PHP - it extends to any and all server-side scripting
> components/languages, including plain vanilla CGI executables, mod_perl,
> and many more.
Yes this is partly why I thought I should ask on some lists first before
submitting a PR - for example with mod_perl - I wasn't sure if there was
anything that might become broken by completely sanitizing the
environment like I have (I don't use mod_perl on my server).
> I wonder if this should not be brought up with the Apache developers
> though - it is not really FreeBSD-specific, and a fix to the FreeBSD
> port would not address the same problem in any of the other environments
> that Apache supports :)
Again yes! I wasn't sure why some kind of environment cleansing wasn't
already done by the apachectl script and was wondering if perhaps I'd missed
something - after searching for info on the subject I didn't find a lot
of results so thought it was perhaps just me and the way I do things
that was the problem :)
I'll perhaps shoot off a mail to an apache list as well then. Thanks
for the input Peter :)
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]