[nag] Accessing CGI directly

Cort Tompkins rtompkin@cs.odu.edu
Thu, 14 Jun 2001 01:07:08 -0400


I was trying to add a new task and task.php was trying to post directly to the 
cgi (i.e. /cgi-bin/php4.cgi) rather than itself.  PHP itself prints out this 
error: "Security Alert! PHP CGI cannot be accessed directly. This PHP CGI 
binary was compiled with force-cgi-redirect enabled. This means that a page 
will only be served up if the REDIRECT_STATUS CGI variable is set. This 
variable is set, for example, by Apache's Action directive redirect. " ... and 
it goes on to give more information.

I've identified this is a Horde issue but I'll clarify for you anyway.  I run 
PHP as a cgi (in my cgi-bin directory) under my own username via a wrapper 
script.  To prevent people from posting scripts to the cgi binary that do 
things like "exec('cat /horde/config/conf.php')" which may reveal sensitive 
information (like DB passwords) in the web directory, cgi versions of PHP 
prevent direct access to the CGI (i.e. you can't post form data to it).

I've traced the problem back to Horde::selfURL which uses $SCRIPT_NAME which in 
turn gives the path of the CGI.  I changed selfURL to use $PHP_SELF which 
actually gives the name of the current script.  This seems to have resolved my 
issue but I posted my fix to the Horde list to verify that my change makes 
sense.

Thanks for the response,
Cort Tompkins

> I'm not sure I follow you.  What is the problem you're
> encountering?  Please provide error messages, etc.
> 
> -- 
> Jon Parise (jon@csh.rit.edu)  .  Rochester Inst. of Technology
> http://www.csh.rit.edu/~jon/  :  Computer Science House Member
> 
> -- 
> Nag mailing list: http://horde.org/nag/
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: nag-unsubscribe@lists.horde.org
> 
>