#22270 [Asn]: cgi binary parses itself when called directly

Wed, 19 Feb 2003 08:05:09 -0800 

 ID:               22270
 User updated by:  zlo at canada dot com
 Reported By:      zlo at canada dot com
 Status:           Assigned
 Bug Type:         CGI related
 Operating System: RedHat 7.2
 PHP Version:      4CVS-2003-02-18 (stable)
 Assigned To:      shane
 New Comment:

here is my configure:
./configure' '--with-config-file-path=/path/to/php'
'--prefix=/path/to/php-test' '--enable-force-cgi-redirect'
'--disable-cli' '--enable-bcmath' '--enable-trans-sid'
'--with-zlib-dir=/build/zlib-1.1.4' '--with-mysql=/usr/local' 

i also put cgi.fix_pathinfo in php.ini, doesn't help.


Previous Comments:
------------------------------------------------------------------------

[2003-02-19 01:09:34] [EMAIL PROTECTED]

This has happened for some time, it's a big part of what prompted my
starting on rewriting cgi stuff.  It shouldn't happen with 4.3 if
cgi.fix_pathinfo=1, or if you don't compile with discard-path.

------------------------------------------------------------------------

[2003-02-18 07:29:10] zlo at canada dot com

when PHP cgi binary is called from cgi-bin without cgi-redirect, it
parses itself (argv[0] of the binary, whatever that happens to be)! i
don't think it represents much of a security problem (it still does to
some extent, because it reveals path to php and default settings), and
no sane person will run the cgi binary without cgi-redirect, but i
don't think its the way its supposed to be either..

here is a simple example; this also works with the php binary itself in
place of this binary. 
this results in some binary output and the typical phpinfo() page in
the middle:
# cat php.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

const char *PHP_BINARY="/path/to/php/bin/php";
const char * dummy="<?php phpinfo(); ?>";

int main(int argc, char *argv[]){
  execl(PHP_BINARY,argv[0],0);
  return 1;
};

p.s. btw this simple wrapper (without the phpinfo() part, or course)
can be used as a workaround for the vulnerability with cgi-redirect
that resulted in the release of 4.3.1 since it removes parameters
before exec'ing php itself..

p.p.s. where can i post "feedback"? i can't seem to find it..

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=22270&edit=1

Reply via email to