www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Angel <...@haknich.dhis.org>
Subject general/6600: phpinfo() returns a user environment
Date Thu, 28 Sep 2000 01:42:15 GMT

>Number:         6600
>Category:       general
>Synopsis:       phpinfo() returns a user environment
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Sep 27 18:50:00 PDT 2000
>Originator:     aja@haknich.dhis.org
>Release:        1.3.12
uname -a:
FreeBSD mh-logon.haknich.dhis.org 4.1-RELEASE FreeBSD 4.1-RELEASE #1: Fri Sep 15 23:43:57
GMT 2000     aja@MHA-LOGON.NTPS.ARPA:/usr/src/sys/compile/MHA-LOGON  i386
With PHP/4 installed and enabled, a phpinfo() call returns a users' complete
environment even when running as an unpriv'd user or user www (or the likes).
I'm not sure why it ended up picking my personal account, however it did print
env. vars from my session (I am uid 1001 guid 1001 and in wheel and the website
root's group, by the way).

Although the page that calls phpinfo is owned by another user, it prints my
personal accounts' environment variables.  I've tried this with apache started
(using apachectrl) from a su'd login, and a normal console login as root, both
yeilding the same results.

It also appears that a call to the apachectrl restart command saves the
user environment, however stopping/killing the httpds (or using apachectrl)
and then starting again will change it to that of the real user (user that
su'd, or root if root is logged in directly).

>From the outputs, I've gotten my personal nicknames of several accounts on IRC
and my account on napster, preffered servers, home directory, path, etc...the
whole shebag.  This would especially be nasty if someone (why would they though)
put passwords in env vars.  (System env vars, not http!)
Create a file (phpinfo.php was used in my instance) that calls <? phpinfo(); ?>
and view it from the 'net (I viewed mine from a local connection, and a friend
viewed it remotely as well; the file was created by him, under a different
user, also).

>From my server, the exact url was (and may still be, I haven't finished looking
at the complete results yet, however the full environment was a bit alarming)
Looks like getting rid of HTTP_ENV_VARS["..."] environment variables would help,
and I think HTTP_SERVER_VARS["..."] is a security risk too.

Looks like the sandbox isn't working fully, or something, I get this even though
the server is run as nobody/nogroup and even www/www.
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

View raw message