Security implications of the contents of /proc/self/environ in LFI attacks

Question

During penetration testing on a website, the tests have found a local file inclusion vulnerability in an old wordpress plugin that was installed. An attacker can exploit the LFI vulnerability to include /etc/passwd and also the index page, however when including /proc/self/environ, all the attacker sees is this:

CONTEXT_DOCUMENT_ROOT=/home/[website]/public_htmlCONTEXT_DOCUMENT_ROOT=/home/[website]/public_html

Isn't /proc/self/environ supposed to show other information? Such as your user agent? If so, why is it that for this website, all it shows is CONTEXT_DOCUMENT_ROOT?

I know that when an attacker includes /proc/self/environ and it does show their user agent, they can use tamper data for example to change their user agent to PHP code and upload a shell for example or open outbound TCP connections etc.

So, basically since this is all /proc/self/environ shows, does that mean that /proc/self/environ is basically safe from attackers? Or can they somehow manipulate this to show their useragent and run PHP code? (Forgive me if this is a stupid question, I am somewhat new to security. Also, ignore the elephant in the room: The actual LFI vuln will be fixed so it isn't vulnerable at all, but I am still curious about my /proc/self/environ question.)

Answer 1

/proc/self/environ contains the environment of the process. In this case, only the CONTEXT_DOCUMENT_ROOT seem to be present (there would be a \0 between the two copies).

This would be possible. If your php application isn't run as a CGI, there's no need for the HTTP_ variables to appear there. The other SAPIs (such as FastCGI or an apache module) receive them in a different way.

However, even if we are only seeing the server environment, and it is not used to pass parameters to the application, it seems peculiar that typical variables like PATH or HOME don't appear there. And that the same variable appears twice doesn't make much sense, either.

Why don't you upload a basic php file to print the contents of the /proc/self/environ?

I know that when an attacker includes /proc/self/environ and it does show their user agent, they can use tamper data for example to change their user agent to PHP code and upload a shell for example or open outbound TCP connections etc.

Not at all. In order to run code, the server would need to eval() the included User Agent, which would be quite silly.

The environment contents may be useful for gaining more info about the server (such as paths) for further attacks, though.