Dl PHP cgi.force_redirect disabled

Rejah Rehim
Published on
02 Jul 2018
1 min read

If cgi_force_redirect is disabled, it will allow attackers to directly call the PHP intercepter. The attacker can misuse this configuration to bypass permissions and access sensitive information from the server. If the PHP interceptor is directly installed into the CGI, then all the requests to the PHP resources will be redirected to the interceptor. Consider if a user requests for http://www.example.beaglesecurity.com/content/page.php, the server will check the permission in /content directory and redirect the user using http://www.example.beaglesecurity.com/cgi-bin/php/content/page.php to the PHP interceptor. If cgi_force_redirect is disabled, an attacker can access to /cgi-bin/php can make access to sensitive information from the server.


The below URL is from a server that didn’t implement cgi_force_redirect.


The below code is the example of redirection in apache configuration.

        Action php-script /cgi-bin/php
        AddHandler php-main_script .php



Using this vulnerability, an attacker can:-

  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Enable cgi_force_redirect. Compile the below code to PHP.

  • Try to Update PHP to the latest version.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment