Test For Checking CGI Force Redirect

The cgi_force_redirect is a configuration directive that prevents anyone from calling directly using a URL. There are servers having cgi_force_redirect as off. The configuration directive cgi_force_redirect prevents anyone from calling PHP directly using a URL. It is necessary to provide security to a server running PHP as a CGI under the server.


The below URL is from a server that didn’t implement cgi_force_redirect.


The below code is the example of redirection in apache configuration.

        Action php-script /cgi-bin/php
        AddHandler php-main_script .php



The impact include:-

  • Possible manipulation of sensitive information
  • Possible leakage of sensitive information
  • The attacker will gain administrator access to the web application

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Enabling cgi_force_redirect. Compile the below code to PHP.

  • Updating PHP to the latest version.

Latest Articles