Apache in woody still not fixed (leaking env variables)

To: debian-apache@lists.debian.org
Subject: Apache in woody still not fixed (leaking env variables)
From: Marcin Sochacki <wanted@gnu.univ.gda.pl>
Date: Sat, 25 Sep 2004 13:23:25 +0200
Message-id: <[🔎] 20040925112325.GC6463@gnu.univ.gda.pl>

Believe it or not, but woody it still the current stable distribution.
It's widely used on servers with the default Apache, which is currently
version 1.3.26-0woody5 (from security updates).

The bug of leaking the admin's shell variables into Apache's enviroment
still exists in /etc/init.d/apache script.

There is some work done in the beginning of that script, which was
probably intended to clear the env, namely:
### snip ###
# ensure we don't leak environment vars into apachectl
APACHECTL="env -i LANG=${LANG} PATH=${PATH} $APACHECTL"
### snip ###
but later in the script nothing useful is done with $APACHECTL variable.

Apache is started with:
### snip ###
    echo -n "Starting web server: $NAME"
    start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
### snip ###

No wonder the enviroment variables are still there, visible for anyone
with access to CGI scripts or PHP. I've replaced the script with the
version from sarge, and it works nice (properly clears the enviroment),
so I propose the script should be backported to woody ASAP. We still
don't know the date of releasing sarge as stable, and I think many
servers unnecessarily expose their enviroment, which may be a security
risk.

Marcin

Reply to:

Prev by Date: Bug#273019: apache2-mpm-worker: subprocess post-installation script returned error exit
Next by Date: Bug#273017: apache2-common: post-installation script returned error exit status 1
Previous by thread: Bug#273019: apache2-mpm-worker: subprocess post-installation script returned error exit
Next by thread: Bug#273412: CAN-2004-0811: Apache 2.0.51 authentication bypass
Index(es):
- Date
- Thread