Test For Checking CGI Force Redirect

The cgi_force_redirect is a configuration directive that prevents anyone from calling directly using a URL. There are servers having cgi_force_redirect as off. The configuration directive cgi_force_redirect prevents anyone from calling PHP directly using a URL. It is necessary to provide security to a server running PHP as a CGI under the server.

Example

The below URL is from a server that didn’t implement cgi_force_redirect.

http://www.testbeagle.com/cgi-bin/php/somerandomdirectory/main_script.php

The below code is the example of redirection in apache configuration.

        Action php-script /cgi-bin/php
        AddHandler php-main_script .php

    

Impact

The impact include:-

  • Possible manipulation of sensitive information
  • Possible leakage of sensitive information
  • The attacker will gain administrator access to the web application

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Enabling cgi_force_redirect. Compile the below code to PHP.
        --enable-force-cgi-redirect

    
  • Updating PHP to the latest version.

Latest Articles