Vulnerability
The cgi_force_redirect is a configuration directive that prevents anyone from calling directly using a URL. There are servers having cgi_force_redirect as off. The configuration directive cgi_force_redirect prevents anyone from calling PHP directly using a URL. It is necessary to provide security to a server running PHP as a CGI under the server.
Example
The below URL is from a server that didn’t implement cgi_force_redirect.
http://www.testbeagle.com/cgi-bin/php/somerandomdirectory/main_script.php
The below code is the example of redirection in apache configuration.
Action php-script /cgi-bin/php
AddHandler php-main_script .php
Impact
The impact include:-
- Possible manipulation of sensitive information
- Possible leakage of sensitive information
- The attacker will gain administrator access to the web application
Mitigation / Precaution
This vulnerability can be fixed by:-
- Enabling cgi_force_redirect. Compile the below code to PHP.
--enable-force-cgi-redirect
- Updating PHP to the latest version.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
