The ``++cgi.force_redirect++`` _php.ini_ configuration controls the behavior of the PHP engine when used in CGI mode. In particular, it prevents CGI scripts from being directly requested without prior web server or application processing. When disabled, CGI scripts can be requested directly. == Why is this an issue? Pre-processing on the server side is often required to check users authentication when working in CGI mode. Those preliminary actions can also position diverse configuration parameters necessary for the CGI script to work correctly. === What is the potential impact? CGI scripts might behave unexpectedly if the proper configuration is not set up before they are accessed. Most serious security-related consequences will affect the authorization and authentication mechanisms of the application. When the web server is responsible for authenticating clients and forwarding the proper identity to the script, direct access will bypass this authentication step. Attackers could also provide arbitrary identities to the CGI script by forging specific HTTP headers or parameters. They could then impersonate any legitimate user of the application. == How to fix it `cgi.force_redirect` should be enforced in the main PHP configuration file. Note that this parameter is enabled by default. === Code examples ==== Noncompliant code example [source,php,diff-id=1,diff-type=noncompliant] ---- ; php.ini cgi.force_redirect=0 ; Noncompliant ---- ==== Compliant solution [source,php,diff-id=1,diff-type=compliant] ---- ; php.ini cgi.force_redirect=1 ; Noncompliant ---- === Pitfalls The `cgi.force_redirect` is not supported by all web servers. For example, Microsoft IIS web server is unable to differentiate an internally redirected request from a normal one. While using such a server, the `cgi.force_redirect` parameter will have to be disabled for the CGI scripts to work properly. In that case, it is important to ensure the CGI behavior is aware of the security threat. == Resources === Standards * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/305[CWE-305 - Authentication Bypass by Primary Weakness] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message Remove this configuration disabling "cgi.force_redirect". ''' == Comments And Links (visible only on this page) === on 1 Sep 2015, 07:46:06 Linda Martin wrote: LGTM! endif::env-github,rspecator-view[]