From: xuefer at 21cn dot com Operating system: win PHP version: 4.3.9 PHP Bug Type: CGI related Bug description: example conf of README.FastCGI is not secure
Description: ------------ sapi/cgi/README.FastCGI (with apache mod_fastcgi) both ScriptAlias(dynserver) or Alias(static server) method issue a security problem. force_redirect is not done for fastcgi, only for cgi this have same problem as cgi with no force_redirect i guess redirect checking can be done after $_SERVER is ready, while cgi use getenv. separate php is not affected by this problem. -- Edit bug report at http://bugs.php.net/?id=30849&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=30849&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30849&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30849&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=30849&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=30849&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=30849&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=30849&r=needscript Try newer version: http://bugs.php.net/fix.php?id=30849&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=30849&r=support Expected behavior: http://bugs.php.net/fix.php?id=30849&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=30849&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=30849&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=30849&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=30849&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=30849&r=dst IIS Stability: http://bugs.php.net/fix.php?id=30849&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=30849&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=30849&r=float MySQL Configuration Error: http://bugs.php.net/fix.php?id=30849&r=mysqlcfg