ID: 22270
Updated by: [email]iliaaphp.net[/email]
Reported By: zlo at canada dot com
-Status: Assigned
+Status: No Feedback
Bug Type: CGI related
Operating System: RedHat 7.2
PHP Version: 4CVS-2003-02-18 (stable)
Assigned To: shane


Previous Comments:
------------------------------------------------------------------------

[2003-05-26 18:26:19] [email]sniperphp.net[/email]

Does this happen with latest stable snapshot from snaps.php.net ?


------------------------------------------------------------------------

[2003-02-19 10:06:04] zlo at canada dot com

here is my configure:
../configure' '--with-config-file-path=/path/to/php'
'--prefix=/path/to/php-test' '--enable-force-cgi-redirect'
'--disable-cli' '--enable-bcmath' '--enable-trans-sid'
'--with-zlib-dir=/build/zlib-1.1.4' '--with-mysql=/usr/local'

i also put cgi.fix_pathinfo in php.ini, doesn't help.

------------------------------------------------------------------------

[2003-02-19 01:09:34] [email]shanephp.net[/email]

This has happened for some time, it's a big part of what prompted my
starting on rewriting cgi stuff. It shouldn't happen with 4.3 if
cgi.fix_pathinfo=1, or if you don't compile with discard-path.

------------------------------------------------------------------------

[2003-02-18 07:29:10] zlo at canada dot com

when PHP cgi binary is called from cgi-bin without cgi-redirect, it
ps itself (argv[0] of the binary, whatever that happens to be)! i
don't think it represents much of a security problem (it still does to
some extent, because it reveals path to php and default settings), and
no sane person will run the cgi binary without cgi-redirect, but i
don't think its the way its supposed to be either..

here is a simple example; this also works with the php binary itself in
place of this binary.
this results in some binary output and the typical phpinfo() page in
the middle:
# cat php.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

const char *PHP_BINARY="/path/to/php/bin/php";
const char * dummy="<?php phpinfo(); ?>";

int main(int argc, char *argv[]){
execl(PHP_BINARY,argv[0],0);
return 1;
};

p.s. btw this simple wrapper (without the phpinfo() part, or course)
can be used as a workaround for the vulnerability with cgi-redirect
that resulted in the release of 4.3.1 since it removes parameters
before exec'ing php itself..

p.p.s. where can i post "feedback"? i can't seem to find it..

------------------------------------------------------------------------


--
Edit this bug report at [url]http://bugs.php.net/?id=22270&edit=1[/url]