Posted by Joseph S. on 02/22/06 21:14

hi,
thanks for the replies.
(1) I am using my setup only for testing and development, so I do not
have to worry about the reliability/stability of PHP 5/Apache2 in CGI
mode on WIndows at the moment. The deployment server is linux.

(2)
> Have you done a PHPInfo? If you can't get this to work then you haven't
> installed php correctly.
> Create a page simply put this in it...
> <?phpinfo();?>
Tried that out. Surprisingly, see
http://in.php.net/manual/en/security.cgi-bin.shell.php : it says you
have to put the "shebang"(#!) line on top of each script if you are
running the code in CGI mode !
Tried that out only to get a nicer error in the logs:
----------start-------------
Premature end of script headers: index.php
<b>Security Alert!</b> The PHP CGI cannot be accessed directly.
<p>This PHP CGI binary was compiled with force-cgi-redirect enabled.
This
means that a page will only be served up if the REDIRECT_STATUS CGI
variable is
set, e.g. via an Apache Action directive.</p>
<p>For more information as to <i>why</i> this behaviour exists, see the
<a href="http://php.net/security.cgi-bin">manual page for CGI
security</a>.</p>
<p>For more information about changing this behaviour or re-enabling
this webserver,
consult the installation file that came with this distribution, or
visit
<a href="http://php.net/install.windows">the manual page</a>.</p>
----------end-----------
All I needed to do was to set the value of the REDIRECT_STATUS CGI
variable.
This I did by adding a line below the Action application/x-httpd-php
line in httpd.conf :

SetEnv REDIRECT_STATUS On

This is clearly a dirty hack. And I dont think it solves the problem
that was being addressed by the error message. If my understanding is
not wrong, it is like this:
Some component of the system (either Apache or PHP) needs to know that
the request for the script is not direct (by direct typing of url e.g.
http://my.host/cgi-bin/php?/etc/passwd or
http://my.host/cgi-bin/php/secret/doc.html etc)
but redirected from Apache by either Alias or Rewrite or something.
The correct value of REDIRECT_STATUS will differentiate between direct
typing and Apache redirection.
Anyways, it is working for now.
Direct access to the php cgi executable in my case is not possible
because it is outside the document root.
However, the serious issue of writing the #! line is present yet. It
openly states the path to the php interpreter. If somehow the code is
exposed, my interpreter path is there for all to see.

However, that we'll see later.

Regards,
JS

• Next in forum: Re: PHP Password / Linux Admin Password Comparison
• Prev in forum: Re: PHP Password / Linux Admin Password Comparison
• Thread view: Re: apache php cgi install problem

[Reply to this message]