Re: [webmin-l] phpinfo() problem

[Jamie C. <jca...@we...>]

On 9/Jan/2006 08:34 Hamid Hashemi wrote ..
> Hi ,
> 
> I am using Webmin and Virtualmin for fedora core 4 and installed apache
> 2.0.54 and php 5.0.4.
> When I was surfing the hosts and tried one of the hosts info.php which
> contains phpinfo() function to see if everythings working fine that host
> on virtualmin or not and saw something interesting in PHP Variables 
> section of phpinfo() !!
> I saw some $_ENV variables which contains some information about the 
> webmin and virtualmin even some passwords of virtualmin !!!!
> here is some example about these variables :
> 
> _ENV["DOCUMENT_REALROOT"] 	/usr/libexec/webmin
> _ENV["VIRTUALSERVER_MAILBOXLIMIT"] 	20
> _ENV["VIRTUALSERVER_LOGROTATE"] 	1
> _ENV["VIRTUALSERVER_PREFIX"] 	xxxxxxxxx ( I changed this !)
> _ENV["VIRTUALSERVER_IP"] 	xx.xx.xx.xx ( this too ! )
> _ENV["QUOTA_SBLOCKS"] 	10240
> _ENV["HTTP_CONTENT_LENGTH"] 	436
> _ENV["VIRTUALSERVER_LIMIT_WEB"] 	1
> _ENV["QUOTA_FILESYS"] 	/home
> _ENV["VIRTUALSERVER_GID"] 	538
> _ENV["MINISERV_CONFIG"] 	/etc/webmin/miniserv.conf
> _ENV["VIRTUALSERVER_POSTGRES"] 	/no value/
> _ENV["VIRTUALSERVER_MAIL"] 	1
> _ENV["QUOTA_HFILES"] 	0
> 
> 
> and a lot of other variables which is really secure ! I don't know from
> where phpinfo() found these but I need to solve this problem ASAP ! Also
> I checked the same issue on another server and the same result happened
> ! any idea ?

This is a bug in Webmin - in some cases, environment variables are being passed
through to the Apache process. It will be fixed in the next release, but in the short
term you can resolve it by finding the clean_environment function in web-lib-funcs.pl
and replacing it with :

# clean_environment()
# Deletes any environment variables inherited from miniserv so that they
# won't be passed to programs started by webmin.
sub clean_environment
{
local ($k, $e);
%UNCLEAN_ENV = %ENV;
foreach $k (keys %ENV) {
        if ($k =~ /^(HTTP|VIRTUALSERVER|QUOTA|USERADMIN)_/) {
                delete($ENV{$k});
                }
        }
foreach $e ('WEBMIN_CONFIG', 'SERVER_NAME', 'CONTENT_TYPE', 'REQUEST_URI',
            'PATH_INFO', 'WEBMIN_VAR', 'REQUEST_METHOD', 'GATEWAY_INTERFACE',
            'QUERY_STRING', 'REMOTE_USER', 'SERVER_SOFTWARE', 'SERVER_PROTOCOL',
            'REMOTE_HOST', 'SERVER_PORT', 'DOCUMENT_ROOT', 'SERVER_ROOT',
            'MINISERV_CONFIG', 'SCRIPT_NAME', 'SERVER_ADMIN', 'CONTENT_LENGTH',
            'HTTPS', 'FOREIGN_MODULE_NAME', 'FOREIGN_ROOT_DIRECTORY',
            'SCRIPT_FILENAME', 'PATH_TRANSLATED', 'BASE_REMOTE_USER',
            'DOCUMENT_REALROOT', 'MINISERV_CONFIG') {
        delete($ENV{$e});
        }
}

 - Jamie