ID: 22270
Updated by: [email][/email]
Reported By: zlo at canada dot com
-Status: Assigned
+Status: No Feedback
Bug Type: CGI related
Operating System: RedHat 7.2
PHP Version: 4CVS-2003-02-18 (stable)
Assigned To: shane

Previous Comments:

[2003-05-26 18:26:19] [email][/email]

Does this happen with latest stable snapshot from ?


[2003-02-19 10:06:04] zlo at canada dot com

here is my configure:
../configure' '--with-config-file-path=/path/to/php'
'--prefix=/path/to/php-test' '--enable-force-cgi-redirect'
'--disable-cli' '--enable-bcmath' '--enable-trans-sid'
'--with-zlib-dir=/build/zlib-1.1.4' '--with-mysql=/usr/local'

i also put cgi.fix_pathinfo in php.ini, doesn't help.


[2003-02-19 01:09:34] [email][/email]

This has happened for some time, it's a big part of what prompted my
starting on rewriting cgi stuff. It shouldn't happen with 4.3 if
cgi.fix_pathinfo=1, or if you don't compile with discard-path.


[2003-02-18 07:29:10] zlo at canada dot com

when PHP cgi binary is called from cgi-bin without cgi-redirect, it
ps itself (argv[0] of the binary, whatever that happens to be)! i
don't think it represents much of a security problem (it still does to
some extent, because it reveals path to php and default settings), and
no sane person will run the cgi binary without cgi-redirect, but i
don't think its the way its supposed to be either..

here is a simple example; this also works with the php binary itself in
place of this binary.
this results in some binary output and the typical phpinfo() page in
the middle:
# cat php.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

const char *PHP_BINARY="/path/to/php/bin/php";
const char * dummy="<?php phpinfo(); ?>";

int main(int argc, char *argv[]){
return 1;

p.s. btw this simple wrapper (without the phpinfo() part, or course)
can be used as a workaround for the vulnerability with cgi-redirect
that resulted in the release of 4.3.1 since it removes parameters
before exec'ing php itself..

p.p.s. where can i post "feedback"? i can't seem to find it..


Edit this bug report at [url][/url]