Hi, I wanted to get some opinions on this subject before I submit a PR about it. I don't know if there are any pitfalls with the 'fix' I suggested and though it best to run it past people here before submitting. If there's a better place to post this please let me know (freebsd-ports?). The send-pr output I was about to send explains everything so I'll just paste it here: -snip- To: FreeBSD-gnats-submit@freebsd.org From: Jez Hancock <jez.hancock@munk.nu> Reply-To: Jez Hancock <jez.hancock@munk.nu>>Submitter-Id: current-users >Originator: Jez Hancock >Organization: n/a >Confidential: no >Synopsis: Apache httpd leaks environment information in PHP phpinfo() calls >Severity: non-critical >Priority: low >Category: ports >Class: change-request >Release: FreeBSD 4.8-STABLE i386 >Environment:System: FreeBSD users.munk.nu 4.8-STABLE FreeBSD 4.8-STABLE #1: Fri Apr 18 14:38:46 BST 2003 root@users.munk.nu:/usr/obj/usr/src/sys/MUNKBOXEN i386>Description:The apache13 port control script /usr/local/sbin/apachectl is used to control the apache httpd daemon. However the apachectl script does not start with a clean environment, inheriting the environment of the user that invokes the script. As a consequence the environment variables set by the shell of the user that invokes apachectl (usually a UID 0 user) are visible to users when executing a command such as phpinfo() in the PHP $_ENV superglobal array.>How-To-Repeat:Invoke the apachectl control script as a user who has shell environment variables set. Browse to a web page served by the httpd that contains a PHP phpinfo() call and observe the environment of the user in the $_ENV superglobal array.>Fix:Add a single line to the apachectl control script to ensure apache runs with a clean environment: *** /usr/local/sbin/apachectl Thu Nov 13 06:59:05 2003 --- /usr/local/sbin/apachectl.bak Thu Nov 13 06:58:54 2003 *************** *** 26,32 **** # # the path to your httpd binary, including options if necessary HTTPD=/usr/local/sbin/httpd - HTTPD=`echo /usr/bin/env -i $HTTPD` # # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other --- 26,31 ---- -snip- This appears to work as required, removing any details about the apachectl-invoking user's environment from the $_ENV array. Are there any pitfalls of using env in this way though? -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/
On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote:> Hi, > > I wanted to get some opinions on this subject before I submit a PR about > it. I don't know if there are any pitfalls with the 'fix' I suggested > and though it best to run it past people here before submitting. If > there's a better place to post this please let me know (freebsd-ports?). > > The send-pr output I was about to send explains everything so I'll just > paste it here:[snip]> The apache13 port control script /usr/local/sbin/apachectl is used to > control the apache httpd daemon. However the apachectl script does not > start with a clean environment, inheriting the environment of the user > that invokes the script. As a consequence the environment variables set > by the shell of the user that invokes apachectl (usually a UID 0 user) > are visible to users when executing a command such as phpinfo() in the > PHP $_ENV superglobal array.[snip]> HTTPD=/usr/local/sbin/httpd > - HTTPD=`echo /usr/bin/env -i $HTTPD`This would be a nice solution; by the way, the problem is not limited to PHP - it extends to any and all server-side scripting components/languages, including plain vanilla CGI executables, mod_perl, and many more. I wonder if this should not be brought up with the Apache developers though - it is not really FreeBSD-specific, and a fix to the FreeBSD port would not address the same problem in any of the other environments that Apache supports :) G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031113/cd2a47ad/attachment.bin
On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote:> I wanted to get some opinions on this subject before I submit a PR about > it. I don't know if there are any pitfalls with the 'fix' I suggested > and though it best to run it past people here before submitting. If > there's a better place to post this please let me know (freebsd-ports?).FWIW, I have been doing a variation on this for a long time, no ill effects. I also think it is unwise to propagate every environment variable, but the solution should be implemented by the Apache people I think. Just a quick 'me too', --Stijn -- This sentence contradicts itself -- no actually it doesn't. -- Hofstadter -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031113/6e86d2db/attachment.bin
Maybe Matching Threads
- [da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)]
- Logging user activities
- Problem with DNS (UDP) queries
- keyboard activity logging in FreeBSD
- apachectl gracefult causes Signal 11 crash after 6.3 to 7.0 upgrade [SOLVED]