91 lines
2.7 KiB
Plaintext
91 lines
2.7 KiB
Plaintext
The ``++cgi.force_redirect++`` _php.ini_ configuration controls the behavior of
|
|
the PHP engine when used in CGI mode. In particular, it prevents CGI scripts
|
|
from being directly requested without prior web server or application
|
|
processing.
|
|
|
|
When disabled, CGI scripts can be requested directly.
|
|
|
|
== Why is this an issue?
|
|
|
|
Pre-processing on the server side is often required to check users
|
|
authentication when working in CGI mode. Those preliminary actions can also
|
|
position diverse configuration parameters necessary for the CGI script to work
|
|
correctly.
|
|
|
|
=== What is the potential impact?
|
|
|
|
CGI scripts might behave unexpectedly if the proper configuration is not set up
|
|
before they are accessed.
|
|
|
|
Most serious security-related consequences will affect the authorization and
|
|
authentication mechanisms of the application. When the web server is responsible
|
|
for authenticating clients and forwarding the proper identity to the script,
|
|
direct access will bypass this authentication step.
|
|
|
|
Attackers could also provide arbitrary identities to the CGI script by forging
|
|
specific HTTP headers or parameters. They could then impersonate any legitimate
|
|
user of the application.
|
|
|
|
== How to fix it
|
|
|
|
`cgi.force_redirect` should be enforced in the main PHP configuration file.
|
|
|
|
Note that this parameter is enabled by default.
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
; php.ini
|
|
cgi.force_redirect=0 ; Noncompliant
|
|
----
|
|
|
|
|
|
==== Compliant solution
|
|
|
|
[source,php,diff-id=1,diff-type=compliant]
|
|
----
|
|
; php.ini
|
|
cgi.force_redirect=1 ; Noncompliant
|
|
----
|
|
|
|
=== Pitfalls
|
|
|
|
The `cgi.force_redirect` is not supported by all web servers. For example,
|
|
Microsoft IIS web server is unable to differentiate an internally redirected
|
|
request from a normal one.
|
|
|
|
While using such a server, the `cgi.force_redirect` parameter will have to be
|
|
disabled for the CGI scripts to work properly. In that case, it is important to
|
|
ensure the CGI behavior is aware of the security threat.
|
|
|
|
== Resources
|
|
|
|
=== Standards
|
|
|
|
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
|
|
* CWE - https://cwe.mitre.org/data/definitions/305[CWE-305 - Authentication Bypass by Primary Weakness]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Remove this configuration disabling "cgi.force_redirect".
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 1 Sep 2015, 07:46:06 Linda Martin wrote:
|
|
LGTM!
|
|
|
|
endif::env-github,rspecator-view[]
|