www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Richards <p...@originat.demon.co.uk>
Subject Re: mod_env/370: Modified PATH environemnt variable is not passed, instead system's is used
Date Sun, 13 Apr 1997 12:16:10 GMT
Marc Slemko <marcs@znep.com> writes:

>  On Sat, 12 Apr 1997, P. Alejandro Lopez-Valencia wrote:
>  
>  > The use of a modified environemt PATH is not reflected in the
>  > actual $PATH passed to the CGI. It may constitute a security hole
>  > as the $PATH used is that of the owner of the parent process (root).
>  
>  What do you mean "modified path"?  Who is modifying it?  The path should
>  be that in effect when the server was started, or some default path if
>  there was none.  Generally root's path is reasonably restrictive; if you
>  wish to modify it you should be able to use SetEnv or change the path
>  before you start httpd.

We recently ran into this at work. I don't see any reason to pass the
$PATH onto scripts at all. Any scripts that depend on the $PATH aren't
written robustly enough amd should be corrected to not rely on the
server's environement.

Most security breaches are due to admin error so as far as possible
programs should take this into account.

-- 
  Dr Paul Richards, Originative Solutions Ltd.
  Internet: paul@originat.demon.co.uk
  Phone: 0370 462071 (UK Mobile)

Mime
View raw message