php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #17633 phpinfo() divulges environment variables of user that initiates apache process
Submitted: 2002-06-06 16:18 UTC Modified: 2002-06-07 00:42 UTC
From: jason at l337hosting dot com Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 4.2.1 OS: Red Hat Linux 7.3
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jason at l337hosting dot com
New email:
PHP Version: OS:

 

 [2002-06-06 16:18 UTC] jason at l337hosting dot com 
First, I wonder why it is necessary for php to know/share information about the system upon which it's installed like the values of environmental variables for the user that started apache. While this is a rather benign security risk, I'm a big fan of "if you don't need to know, then you don't know" when it comes to Internet security. So, it would seem prudent to disallow access to that sort of information if only because there isn't a single instance in the course of human affairs that a php script writer would have to know the PWD value of the user that started apache [hopefully] 4 months ago.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-06 17:08 UTC] steffann@php.net 
This is not a PHP problem, but a generic Apache problem. Apache does not clear its environment, and because of that everything that runs under Apache can read it. This includes PHP, mod_perl, mod_python, CGI scripts, etc.

The solution is not to modify PHP, but to start Apache with only the environment it needs. A possible way to do this is to modify your Apache startup script to use the 'env' command to modify the environment when starting httpd.
 [2002-06-06 17:14 UTC] jason at l337hosting dot com 
but just because something CAN read it, doesn't mean it MUST read it, right?
 [2002-06-06 17:44 UTC] steffann@php.net 
You contradict yourself. First you say "if you don't need to
know, then you don't know" , but then you give all that information to Apache, which does not need to know. And then you shift the problem to PHP, which just gives access to what Apache knows.

PHP just offers an interface to the environment. If you leave a lot of information in the environment, users have access to that information.

It is your responsibility as a sysadmin to make sure the environment does not contain information that should not be available to your users.

PS: to PHP, environment variables are just that: variables. How could PHP know what to give to the users and what not? PHP can't know that, so this is a task for the sysadmin.
 [2002-06-06 21:31 UTC] mfischer@php.net 
Add it to disable_functions in php.ini if you don't want it:

$ cat php.ini
disable_functions = phpinfo
 [2002-06-07 00:42 UTC] jason at l337hosting dot com 
And how does that prevent users from just referencing the variables all by their lonesome outside of phpinfo()?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Sep 27 23:01:26 2024 UTC