Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Security : Installed as CGI binary : Case 2: using --enable-force-cgi-redirect

Case 2: using --enable-force-cgi-redirect

This compile-time option prevents anyone from calling PHP directly with a URL like http://my.host/cgi-bin/php/secretdir/script.php. Instead, PHP will only parse in this mode if it has gone through a web server redirect rule.

Usually the redirection in the Apache configuration is done with the following directives:

copy to clipboard
Action php-script /cgi-bin/php
AddHandler php-script .php

This option has only been tested with the Apache web server, and relies on Apache to set the non-standard CGI environment variable REDIRECT_STATUS on redirected requests. If your web server does not support any way of telling if the request is direct or redirected, you cannot use this option and you must use one of the other ways of running the CGI version documented here.

Code Examples / Notes » security.cgi_bin.force_redirect

gelgin
solaris 9 php4.4.0
i have found you can't use arbitrary names ie.
AddType application/x-httpd-php .php
works
#AddHandler php4-script .php
won't do must be
AddHandler application/x-httpd-php

celtic
Note that force-redirect doesn't work with IIS at all; it'll tell you to go away, as IIS doesn't supply the right variables to PHP.
php.ini tells you to turn it off, so make sure you do.

Change Language


Follow Navioo On Twitter
Possible attacks
Case 1: only public files served
Case 2: using --enable-force-cgi-redirect
Case 3: setting doc_root or user_dir
Case 4: PHP parser outside of web tree
Terms of Service Privacy Policy Sitemap

©2024 -EPSILONSYS SOFTWARE inc

Other EPSILONSYS SOFTWARE Web Sites : Programming Resources | News Headline | Free local classifieds

eXTReMe Tracker