ID: 22270
Updated by: [EMAIL PROTECTED]
Reported By: zlo at canada dot com
Status: Assigned
Bug Type: Apache related
Operating System: RedHat 7.2
PHP Version: 4CVS-2003-02-18 (stable)
Assigned To: shane
New Comment:
This has happened for some time, it's a big part of what prompted my
starting on rewriting cgi stuff. It shouldn't happen with 4.3 if
cgi.fix_pathinfo=1, or if you don't compile with discard-path.
Previous Comments:
------------------------------------------------------------------------
[2003-02-18 07:29:10] zlo at canada dot com
when PHP cgi binary is called from cgi-bin without cgi-redirect, it
parses itself (argv[0] of the binary, whatever that happens to be)! i
don't think it represents much of a security problem (it still does to
some extent, because it reveals path to php and default settings), and
no sane person will run the cgi binary without cgi-redirect, but i
don't think its the way its supposed to be either..
here is a simple example; this also works with the php binary itself in
place of this binary.
this results in some binary output and the typical phpinfo() page in
the middle:
# cat php.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
const char *PHP_BINARY="/path/to/php/bin/php";
const char * dummy="<?php phpinfo(); ?>";
int main(int argc, char *argv[]){
execl(PHP_BINARY,argv[0],0);
return 1;
};
p.s. btw this simple wrapper (without the phpinfo() part, or course)
can be used as a workaround for the vulnerability with cgi-redirect
that resulted in the release of 4.3.1 since it removes parameters
before exec'ing php itself..
p.p.s. where can i post "feedback"? i can't seem to find it..
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=22270&edit=1
