Bugtraq mailing list archives
Re: www-sql cgi prog overrides .htaccess restrictions.
From: bourbon () NETVISION NET IL (Zeev Suraski)
Date: Thu, 19 Feb 1998 18:20:08 -0500
This is a resend - I don't know if the original message was filtered out or lost due to the netspace quirks... At 11:57 10/02/98 +0100, Sebastian Andersson wrote:
I use PHP/FI as a cgi program with Apache and Apache's Action directive. To stop this bug, I added this to php/fi 2.0b12's main.c file (around line 45): #if PHPFASTCGI while(FCGI_Accept() >= 0) { #endif + s = getenv("REDIRECT_STATUS"); + if(!s) { + puts("Content-type: text/plain\r\n\r\nPHP/FI detected an
internal error. Please inform sa () hogia net of what you just did.\n");
+ exit(1); + } s = getenv("PATH_TRANSLATED"); This prevents the script from being called directly via an URL since that wouldn't set the REDIRECT_STATUS variable. I believe I sent this to the PHP/FI development list, but I never heard anything from them (probably because they were going to drop the cgi support).
Hi, CGI support isn't going away anytime soon. It's supported in the new version (PHP 3.0) and isn't scheduled to be discontinued. Note that even with your patch, people on your machine with permissions to use PHP scripts will still be able to access files with the same permissions as the user running the web server (or the CGI, if you use suexec), possibly overriding any apache .htaccess restrictions. However, you can configure this using safe mode. In any case, your patch does give some extra security to the CGI version of PHP when using apache's Action feature, so I added it to the source tree of PHP 3. Thanks for the suggestion. Zeev --- Zeev Suraski <zeev () php net> Web programmer, System administrator, Netvision LTD http://bourbon.netvision.net.il/ ICQ: 1450980 For a PGP public key, finger bourbon () netvision net il
Current thread:
- Re: www-sql cgi prog overrides .htaccess restrictions. Sebastian Andersson (Feb 10)
- <Possible follow-ups>
- Re: www-sql cgi prog overrides .htaccess restrictions. Zeev Suraski (Feb 19)