Secure the Use of the PHP Function Apache_SetEnv

PHP is one of the most widely used web scripting languages and it is a critical component of the Apache server. However, while PHP has been paying more attention to security issues in recent years, it still has some loose default configuration options which can be exploited. One of those is the putenv() function which allows a script to set environment variables visible to all layers of the Apache server.

The php function apache_setenv sets an internal environment variable that is then passed to CGI scripts and Server Side Includes (SSI pages). These variables are not the same as those set by the require env /> directive and they are set after most early request processing directives have run, such as access control and URI-to-filename mapping.

There are several ways to secure the use of the php putenv() function. The first is to restrict the availability of this function to a specific virtual host using the VirtualHost> directives. The second way is to make sure that only the uid of the executing script can access the putenv() function by setting the php_putenv_limit directive.

Finally, you can also secure the use of putenv() by putting the config file in a directory listed in the safe_mode_include_dir directive of your Apache server. This prevents a malicious script from being able to create files within the include path which could be exploited by another script to gain write access to the web server.