If cgi_force_redirect is disabled, it will allow attackers to directly call the PHP intercepter. The attacker can misuse this configuration to bypass permissions and access sensitive information from the server. If the PHP interceptor is directly installed into the CGI, then all the requests to the PHP resources will be redirected to the interceptor. Consider if a user requests for http://www.example.beaglesecurity.com/content/page.php, the server will check the permission in /content directory and redirect the user using http://www.example.beaglesecurity.com/cgi-bin/php/content/page.php to the PHP interceptor. If cgi_force_redirect is disabled, an attacker can access to /cgi-bin/php can make access to sensitive information from the server.
Example
The below URL is from a server that didn’t implement cgi_force_redirect.
https://www.example.beaglesecurity.com/cgi-bin/php/somerandomdirectory/main_script.php
The below code is the example of redirection in apache configuration.
Action php-script /cgi-bin/php
AddHandler php-main_script .php
Impact
Using this vulnerability, an attacker can:-
- manipulate sensitive information
- leak sensitive information
- gain administrator access to the web application
Mitigation / Precaution
Beagle recommends the following fixes:-
- Enable cgi_force_redirect. Compile the below code to PHP.
--enable-force-cgi-redirect
- Try to Update PHP to the latest version.
