I have a question about PHP under apache. I was playing with some PHP4.0.6 apps running under apache 1.3.20 on a vanilla RedHat 7.1 box. I was logged in as 'xyz' on the box via SSH. I 'su'd to root to restart apache (/etc/init.d/httpd restart) a few times during testing.
In one of my tests I exploited an exec function that sent unchecked input to shell. The input I gave was "...some expected input; echo TEST|mail myuserID" and I ended up getting the email but (the part that concerns me even more than the "hole") is that the email came from the 'xyz' userID! A peek at 'ps' shows httpd -is- running as 'apache' (as expected) but...after quite a lengthy investigation, phpinfo(), e.g. <? // phpinfo.php phpinfo(); ?> shows, in the "Environment" section of the output, the environment VARS (PATH, MANPATH, USER, SSH session, etc... ) of the -xyz- user that restarted httpd! I rebooted and let httpd come up "normally" and the same exploit sends mail as 'anonymous'. But after 'xyz' login, su and restart...email is sent as -xyz-?!? After more investigation, I see this has been discussed before: Some defensiveness from apache developers: http://www.geocrawler.com/mail/thread.php3?subject=general%2F6600%3A+phpinfo %28%29+returns+a+user+environment&list=192 workaround offered at: http://www.phpbuilder.com/mail/php-developer-list/2001042/0459.php So... I added "env -i" to the /etc/init.d/httpd script e.g. daemon env -i $httpd ...... 'xyz' login, su and restart (with 'env -i') and now the phpinfo() output has -nothing- listed in the Environment section. I guess that's to be expected but I'm still left scratching my head as to why the 'env -i' is not used -by default- in the RedHat (or other) httpd rc script for apache and what else might be impacted by doing so. Is this just a PHP-under-apache issue? Insight anyone? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
