php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #16111 IIS + PHP CGI == special administrative concerns
Submitted: 2002-03-15 23:05 UTC Modified: 2005-04-29 16:10 UTC
Votes:27
Avg. Score:4.7 ± 0.7
Reproduced:22 of 23 (95.7%)
Same Version:15 (68.2%)
Same OS:14 (63.6%)
From: ramac10 at hotmail dot com Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4.2.1 OS: Windows
Private report: No CVE-ID: None
 [2002-03-15 23:05 UTC] ramac10 at hotmail dot com
Following the instruction with the CGI/Manual instalation does not work with PWS on a Win98 system.

Security Alert! PHP CGI cannot be accessed directly. 
This PHP CGI binary was compiled with force-cgi-redirect enabled. This means that a page will only be served up if the REDIRECT_STATUS CGI variable is set. This variable is set, for example, by Apache's Action directive redirect. 

You may disable this restriction by recompiling the PHP binary with the --disable-force-cgi-redirect switch. If you do this and you have your PHP CGI binary accessible somewhere in your web tree, people will be able to circumvent .htaccess security by loading files through the PHP parser. A good way around this is to define doc_root in your php.ini file to something other than your top-level DOCUMENT_ROOT. This way you can separate the part of your web space which uses PHP from the normal part using .htaccess security. If you do not have any .htaccess restrictions anywhere on your site you can leave doc_root undefined. If you are running IIS, you may safely set cgi.force_redirect=0 in php.ini. 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-03 07:26 UTC] mfischer@php.net
Updated version, OS, Summary, reclassified as documentation problem.

As mentioned already, the way to go is to set

  cgi.force_redirect = 0

in php.ini . It's now documented in php4/win32/install.txt but needs to be properly documented in the manual too (especially in the ini settings and the http://php.net/security.cgi-bin page).
 [2002-06-18 05:39 UTC] michael at phpdevshed dot com
Ok .. Big Oops

No BUG!

Big lesson: 
This is to do with permission settings when installing php. Make sure your IIS user or everybody has permissions to access php and dlls in the php directory.

Sorry guys :)
 [2002-08-26 17:32 UTC] shelley at databyte dot com
I read bug this bug and have changed my security setting on IIS and it makes
no difference. I'm also using Zend, Smarty & ADODB. In addition I'm
running on a pentium 4. I am
having major problems in our login program and took the code out into a
seperate test problem, and am still having the same redirect problems.

I have been checking the Forums in the PHP community for the last week and
find this seems to be a problem. I've tested the following code and it
only will re-direct 1 time out of 5 or 6 times, of executing the code(with
no code changes). It gives an error message the other times.

Here is my test program:

<?
include_once("config.inc"); // Include files smarty etc.
include_once("conn.inc"); // ADODB Connection
	session_start();
	$sess_key=session_id();
	$access = 'grant';
	$page_name='page1.php';
	$login='shelley';
	$HTTP_SESSION_VARS['saccess'] = $access;
	$HTTP_SESSION_VARS['susername'] = 'Shelley Jones';
	$HTTP_SESSION_VARS['suserid'] = $login;
	$HTTP_SESSION_VARS['suseris'] = 'Cust';
	$HTTP_SESSION_VARS['spage'] = $page_name;
header("Location:page2.php?K=".$sess_key."&L=".$login);
flush();
exit; 


Error Msg recieving.

CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:

Shelley
 [2002-11-10 04:07 UTC] bnicolae at wideopenwest dot com
I too had the same problem.  I read that I had to set cgi.force_redirect=0 I did this and nothing happened.  I tried everything, only to find out that my php.ini file was not in c:\winnt like the docs said they it would be.  No the binary distro put it in c:\documents and settings\administrator\windows  I copied that file to c:\winnt and the php part is working.
 [2002-12-07 06:53 UTC] domingodjf at terra dot es
Hello shelley

win2000 + iis + php

I had the same problem with header("Location....) redirects.
And I don't have a solution only have one ugly code to do the same... 

echo "<script language='javascript'> document.location.href=$url</script>";

I hope change this code on the future, when somebody will have a solution.

DJF
 [2003-01-18 15:17 UTC] philip@php.net
This still looks like a problem to me, am marking as a PWS problem until resolved.

Also it's important to know the correct php.ini is being edited as this seems to be the cause of many peoples problems.  So before reporting information to this bug report, please be sure to state where phpinfo() says it is.

If a PWS expert knows this is still a documentation problem, please reclassify with an explanation.
 [2003-01-19 23:50 UTC] sniper@php.net
This is still a documentation problem, document that people should check their php.ini is actually read by PHP.

 [2003-01-20 01:16 UTC] philip@php.net
This is now documented:
http://cvs.php.net/cvs.php/phpdoc/en/chapters/install.iis.xml

Thanks for the report :)
 [2003-02-16 19:19 UTC] XpeditionPilot at hotmail dot com
Some of the problems on this page I have fixed by making sure register gloabal variables is turned on in php.ini.  Also an easy fix to the Security alert is to make sure php.ini has security set to everyone.  Be sure only to change security for that file, not for the winnt or windows dir.  Also make sure cgi.force_redirect is set to 0, as everyone has said.  Good luck.
 [2003-05-12 11:48 UTC] bcecile at nemak dot com
I was having the same problem, and the it was related to improper NT permissions. Please be sure that your IUSR_MACHINENAME has read permissions to the php.ini file. When I had this file in the c:\winnt folder, only Administrators and the System accounts had read access. This was fine while running PHP as an ISAPI module because IIS was loading the DLL using the System account, but once I switched to a CGI module, I started having problems. This was because IIS was now launching the exe file as IUSR_MACHINENAME which is did not have correct read access to the php.ini file.
 [2003-05-12 14:06 UTC] philip@php.net
The issue of IIS permissions is related to this report but is difficult (at least for me) to come up with a straight forward comment on the issue.  In doing some research it appears there are many factors that come into play here most of which fall under "IIS Administration".  A few PHP related resources:

http://www.iis-resources.com/modules/news/article.php?storyid=4
http://forums.devshed.com/archive/5/2002/10/3/45479

Basically the IIS user (usually IUSR_MACHINENAME) needs permission to read various files and directories, such as php.ini, docroot, and the session tmp directory...  I don't feel comfortable documenting this without raising potential security issues (aka chmod 777 everything!!!) but will reopen for future comment.  Maybe someone has a nice solution to this problem and actually knows the topic (I don't).

Also some people have treated this report as a support forum, well, it's not.  Do not ask support questions here.
 [2004-06-21 17:19 UTC] c dot clix at tiscali dot it
I have the solution for the reported problem by "domingodjf at terra dot es":
He says that with iis+php he had to generate redirects by javascript.

I also had the same problem.

I solved the problem when I switched to full absolute URL. For example:
header( 'Location: http://' . $_SERVER['HTTP_HOST'] . $path );

I hope this will help.
 [2004-07-13 11:03 UTC] chooilai at yahoo dot com
i using php 4.3.0 with PWS on a Win98 system.
when i try to run phpinfo to test for the installation it comes like below:
Security Alert! PHP CGI cannot be accessed directly. 
This PHP CGI binary was compiled with force-cgi-redirect enabled. This
means that a page will only be served up if the REDIRECT_STATUS CGI
variable is set. This variable is set, for example, by Apache's Action
directive redirect. 
i try a lot of way to do but still the same. t set the cgi.force_redirect to 0 , the error will ( no file selected) i am sure that pws is not the problem because i already test for which i type http://localhost.
pls help me to solve this problem , i already try for two but still cannot solve it.
thanks
 [2004-09-21 07:10 UTC] rajesh at glidemail dot com
To Everyone complaining that cgi.force_redirect = 0 is not working, I must say that remove ; (semi-colon) before that line.  That is for comment. Remove line and it might work.
 [2005-03-14 01:02 UTC] amr at msexpert dot com
i tried all that on win2003 machine , noting works at all 
full permissions , restart , file copy and the =0 option and register globals . 
I closed the window and opened the door and still not working .  any ideas ?
 [2005-03-14 10:14 UTC] richard dot quadling at bandvulc dot co dot uk
WOW! This is a 3 year old bug.

Ok. My comment would be to drop IIS/PWS. I use Sambar (http://www.sambar.com) which is free and has a commercial license for those needing more support (and a lot of additional facilities). NOTE: Sambar and Samba are NOT related.

Both the PHP manual and the Sambar documentation have details about using each other. I've used Sambar from Win98SE up to Windows 2000 Server. I've used it on customer sites for intranet web servers.

If you can't fix the issue, then try something else. I'd normally get Sambar, PHP5 and  mySQL installed and running in under 15 minutes. Nothing goes into the Windows directory other than a few INI files. All the apps run from there own directories. The registry is not polluted either.

Nice and clean and liked by me!

Richard.
 [2005-04-29 16:10 UTC] vrana@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

"The IIS user (usually IUSR_MACHINENAME) needs permission to read various files and directories, such as php.ini, docroot, and the session tmp directory."

It is possible to set rights for individual users under Windows, there's no need of chmod 777.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 10:01:26 2024 UTC