Web Development PHP Programming - Learn PHP
 Developer Newsletter

Developer Tutorials
ASP
CGI & Perl
CSS
Flash
HTML
Java
JavaScript
Linux
MySQL
PHP
Photoshop
Python
Wireless
XML


Developer Manuals
Learn HTML
Learn PHP
Learn CSS
Learn Pear
Free White Papers



Scripts Directory
ASP Scripts
ASP.NET Scripts
CGI & Perl Scripts
Flash Scripts
Java Scripts
JavaScript Scripts
PHP Scripts
Python Scripts
Remotely Hosted Scripts
Tools & Utilities Scripts
XML Scripts

Web Hosting Directory
ASP.NET Hosting
Budget Web Hosting
Dedicated Servers
Linux Web Hosting
Shared Hosting
Small Business Hosting
Windows Web Hosting

Developer Resources
Developer Tools
Developer News
Developer Content
Developer Book Reviews
Survey Software
PHP Manual
PrevNext

Chapter 24. Installed as CGI binary

Table of Contents
Possible attacks
Case 1: only public files served
Case 2: using --enable-force-cgi-redirect
Case 3: setting doc_root or user_dir
Case 4: PHP parser outside of web tree

Possible attacks

Using PHP as a CGI binary is an option for setups that for some reason do not wish to integrate PHP as a module into server software (like Apache), or will use PHP with different kinds of CGI wrappers to create safe chroot and setuid environments for scripts. This setup usually involves installing executable PHP binary to the web server cgi-bin directory. CERT advisory CA-96.11 recommends against placing any interpreters into cgi-bin. Even if the PHP binary can be used as a standalone interpreter, PHP is designed to prevent the attacks this setup makes possible:

  • Accessing system files: http://my.host/cgi-bin/php?/etc/passwd

    The query information in a URL after the question mark (?) is passed as command line arguments to the interpreter by the CGI interface. Usually interpreters open and execute the file specified as the first argument on the command line.

    When invoked as a CGI binary, PHP refuses to interpret the command line arguments.

  • Accessing any web document on server: http://my.host/cgi-bin/php/secret/doc.html

    The path information part of the URL after the PHP binary name, /secret/doc.html is conventionally used to specify the name of the file to be opened and interpreted by the CGI program. Usually some web server configuration directives (Apache: Action) are used to redirect requests to documents like http://my.host/secret/script.php to the PHP interpreter. With this setup, the web server first checks the access permissions to the directory /secret, and after that creates the redirected request http://my.host/cgi-bin/php/secret/script.php. Unfortunately, if the request is originally given in this form, no access checks are made by web server for file /secret/script.php, but only for the /cgi-bin/php file. This way any user able to access /cgi-bin/php is able to access any protected document on the web server.

    In PHP, compile-time configuration option --enable-force-cgi-redirect and runtime configuration directives doc_root and user_dir can be used to prevent this attack, if the server document tree has any directories with access restrictions. See below for full the explanation of the different combinations.

PrevHomeNext
General considerationsUpCase 1: only public files served






About the NetVisits, Inc Network | Advertise
Developer Tutorials hosted by HostGator.
Copyright ©2007 NetVisits, Inc Network. All Rights Reserved. Privacy Policy.
Visit other NetVisits, Inc. sites: