php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #36125 force-cgi-redirect problem
Submitted: 2006-01-22 18:37 UTC Modified: 2006-01-23 17:38 UTC
From: hugues at duplexstudio dot com Assigned:
Status: Not a bug Package: CGI/CLI related
PHP Version: 4.4.2 OS: Fedora Core 3
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2006-01-22 18:37 UTC] hugues at duplexstudio dot com 
Description:
------------
Force CGI Redirect is compile by default in Linux Apache system for security reason. I found a way to execute php code with a different php.ini file if .htaccess is enable.

Reproduce code:
---------------
In apache I have enable cgi-script and .htaccess

Maybe it's in newest version.

In the root folder of my web site I created a .htaccess file with 

AddHandler cgi-script .phtml

In my /myrootfolder/file.phtml I add
#!/usr/bin/php -c /myrootfolder/php.ini

I chmod +x the file.phtml. 

I create /myrootfolder/php.ini and set cgi.force_redirect = 0 and now I can run the file.phtml file

The php.ini file and file.phtml must be in the same folder to work.

Expected result:
----------------
If this is not a security issue, 

I expect that the php.ini file could be anywhere on the server if the user could access it.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-22 18:48 UTC] tony2001@php.net 
>I found a way to execute php code with a different 
>php.ini file if .htaccess is enable.

So what's the problem?
 [2006-01-22 19:16 UTC] johannes@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

If you allow cgi one might run anything - no PHP problem
 [2006-01-23 17:38 UTC] hugues at duplexstudio dot com 
So if it's not a bug why the php.ini file must be in the same folder then the file.phtml ?

Tanks
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 18 02:01:33 2024 UTC