ID: 37157 Updated by: [EMAIL PROTECTED] Reported By: askalski at gmail dot com -Status: Open +Status: Assigned Bug Type: CGI related Operating System: Linux PHP Version: 5CVS-2006-04-21 (snap) -Assigned To: +Assigned To: dmitry
Previous Comments: ------------------------------------------------------------------------ [2006-04-21 22:02:45] askalski at gmail dot com Description: ------------ The FastCGI version of PHP does not perform the force-cgi-redirect check for page requests. If I request http://localhost/cgi-bin/php, PHP tries to parse the PHP binary in /cgi-bin as if it was a script. If cgi.fix_pathinfo is turned off, users can bypass .htaccess security. See also bug #22846. Reproduce code: --------------- PHP was configured with: ./configure --enable-fastcgi --enable-force-cgi-redirect My /cgi-bin/php is a wrapper script that sets up FastCGI environment variables: #! /bin/sh export PHPRC=/etc/apache export PHP_FCGI_CHILDREN=4 export PHP_FCGI_MAX_REQUESTS=512 exec /usr/local/bin/php Expected result: ---------------- Security Alert! The PHP CGI cannot be accessed directly. This PHP CGI binary was compiled with force-cgi-redirect enabled. This means that a page will only be served up if the REDIRECT_STATUS CGI variable is set, e.g. via an Apache Action directive. For more information as to why this behaviour exists, see the manual page for CGI security. For more information about changing this behaviour or re-enabling this webserver, consult the installation file that came with this distribution, or visit the manual page. Actual result: -------------- export PHPRC=/etc/apache export PHP_FCGI_CHILDREN=4 export PHP_FCGI_MAX_REQUESTS=512 exec /usr/local/bin/php ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=37157&edit=1
