php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22270 cgi binary parses itself when called directly
Submitted: 2003-02-18 07:29 UTC Modified: 2003-08-06 18:39 UTC
From: zlo at canada dot com Assigned: shane (profile)
Status: No Feedback Package: CGI/CLI related
PHP Version: 4CVS-2003-02-18 (stable) OS: RedHat 7.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
46 - 5 = ?
Subscribe to this entry?

 
 [2003-02-18 07:29 UTC] zlo at canada dot com
when PHP cgi binary is called from cgi-bin without cgi-redirect, it parses itself (argv[0] of the binary, whatever that happens to be)! i don't think it represents much of a security problem (it still does to some extent, because it reveals path to php and default settings), and no sane person will run the cgi binary without cgi-redirect, but i don't think its the way its supposed to be either..

here is a simple example; this also works with the php binary itself in place of this binary. 
this results in some binary output and the typical phpinfo() page in the middle:
# cat php.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

const char *PHP_BINARY="/path/to/php/bin/php";
const char * dummy="<?php phpinfo(); ?>";

int main(int argc, char *argv[]){
  execl(PHP_BINARY,argv[0],0);
  return 1;
};

p.s. btw this simple wrapper (without the phpinfo() part, or course) can be used as a workaround for the vulnerability with cgi-redirect that resulted in the release of 4.3.1 since it removes parameters before exec'ing php itself..

p.p.s. where can i post "feedback"? i can't seem to find it..

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-02-19 01:09 UTC] shane@php.net
This has happened for some time, it's a big part of what prompted my starting on rewriting cgi stuff.  It shouldn't happen with 4.3 if cgi.fix_pathinfo=1, or if you don't compile with discard-path.
 [2003-02-19 10:06 UTC] zlo at canada dot com
here is my configure:
./configure' '--with-config-file-path=/path/to/php' '--prefix=/path/to/php-test' '--enable-force-cgi-redirect' '--disable-cli' '--enable-bcmath' '--enable-trans-sid' '--with-zlib-dir=/build/zlib-1.1.4' '--with-mysql=/usr/local' 

i also put cgi.fix_pathinfo in php.ini, doesn't help.
 [2003-05-26 18:26 UTC] sniper@php.net
Does this happen with latest stable snapshot from snaps.php.net ?

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 01:01:28 2024 UTC