php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22270 cgi binary parses itself when called directly
Submitted: 2003-02-18 07:29 UTC Modified: 2003-08-06 18:39 UTC
From: zlo at canada dot com Assigned: shane (profile)
Status: No Feedback Package: CGI/CLI related
PHP Version: 4CVS-2003-02-18 (stable) OS: RedHat 7.2
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zlo at canada dot com
New email:
PHP Version: OS:

 

 [2003-02-18 07:29 UTC] zlo at canada dot com
when PHP cgi binary is called from cgi-bin without cgi-redirect, it parses itself (argv[0] of the binary, whatever that happens to be)! i don't think it represents much of a security problem (it still does to some extent, because it reveals path to php and default settings), and no sane person will run the cgi binary without cgi-redirect, but i don't think its the way its supposed to be either..

here is a simple example; this also works with the php binary itself in place of this binary. 
this results in some binary output and the typical phpinfo() page in the middle:
# cat php.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

const char *PHP_BINARY="/path/to/php/bin/php";
const char * dummy="<?php phpinfo(); ?>";

int main(int argc, char *argv[]){
  execl(PHP_BINARY,argv[0],0);
  return 1;
};

p.s. btw this simple wrapper (without the phpinfo() part, or course) can be used as a workaround for the vulnerability with cgi-redirect that resulted in the release of 4.3.1 since it removes parameters before exec'ing php itself..

p.p.s. where can i post "feedback"? i can't seem to find it..

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-02-19 01:09 UTC] shane@php.net
This has happened for some time, it's a big part of what prompted my starting on rewriting cgi stuff.  It shouldn't happen with 4.3 if cgi.fix_pathinfo=1, or if you don't compile with discard-path.
 [2003-02-19 10:06 UTC] zlo at canada dot com
here is my configure:
./configure' '--with-config-file-path=/path/to/php' '--prefix=/path/to/php-test' '--enable-force-cgi-redirect' '--disable-cli' '--enable-bcmath' '--enable-trans-sid' '--with-zlib-dir=/build/zlib-1.1.4' '--with-mysql=/usr/local' 

i also put cgi.fix_pathinfo in php.ini, doesn't help.
 [2003-05-26 18:26 UTC] sniper@php.net
Does this happen with latest stable snapshot from snaps.php.net ?

 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Sat Feb 15 13:01:30 2025 UTC