Security Alert! The PHP CGI cannot be accessed directly...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Good Day;

I just performed an install of PHP 4.3.10 using the "php.ini-recommended" on 
IIS6 and was getting:

"Security Alert! The PHP CGI cannot be accessed directly.
This PHP CGI binary was compiled with force-cgi-redirect
enabled. This means that a page will only be served up if the
REDIRECT_STATUS CGI variable is set, e.g. via an
Apache Action directive."

After some research and talking to some php programmer buddies, the solution 
seemed to be to add the following to the php.ini :
cgi.force_redirect = 0
cgi.redirect_status_env ="yes";

http://codewalkers.com/archives/phphelp/211.html

Now my server functions but I am concerned with potential security problems. 
The INI file and the on-line manual state that REDIRECT_STATUS relates to 
Apache only and infers that it may be a serious security risk on other web 
servers.

Note that in addition to adding PHP.EXE into the "APPLICATION CONFIGURATION" 
of a specific virtual server, I also had to add it into the WEB SERVER 
EXTENTIONS on the IIS6 server.  This step was not documented in the PHP 
manuals I reviewed but it was required.

Any explaination as to what these settings do and whether I have exposed my 
customers systems would be appreciated. 

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]

  Powered by Linux