PHP :: Bug #36125 :: force-cgi-redirect problem

Bug #36125	force-cgi-redirect problem
Submitted:	2006-01-22 18:37 UTC	Modified:	2006-01-23 17:38 UTC
From:	hugues at duplexstudio dot com	Assigned:
Status:	Not a bug	Package:	CGI/CLI related
PHP Version:	4.4.2	OS:	Fedora Core 3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hugues at duplexstudio dot com
New email:
PHP Version:		OS:

New Comment:

[2006-01-22 18:37 UTC] hugues at duplexstudio dot com

Description:
------------
Force CGI Redirect is compile by default in Linux Apache system for security reason. I found a way to execute php code with a different php.ini file if .htaccess is enable.

Reproduce code:
---------------
In apache I have enable cgi-script and .htaccess

Maybe it's in newest version.

In the root folder of my web site I created a .htaccess file with 

AddHandler cgi-script .phtml

In my /myrootfolder/file.phtml I add
#!/usr/bin/php -c /myrootfolder/php.ini

I chmod +x the file.phtml. 

I create /myrootfolder/php.ini and set cgi.force_redirect = 0 and now I can run the file.phtml file

The php.ini file and file.phtml must be in the same folder to work.

Expected result:
----------------
If this is not a security issue, 

I expect that the php.ini file could be anywhere on the server if the user could access it.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-01-22 18:48 UTC] tony2001@php.net

>I found a way to execute php code with a different 
>php.ini file if .htaccess is enable.

So what's the problem?

[2006-01-22 19:16 UTC] johannes@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

If you allow cgi one might run anything - no PHP problem

[2006-01-23 17:38 UTC] hugues at duplexstudio dot com

So if it's not a bug why the php.ini file must be in the same folder then the file.phtml ?

Tanks

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Jul 05 14:01:34 2025 UTC