Test For Checking CGI Force Redirect

By
Nash N Sulthan
Published on
02 Mar 2022
Vulnerability

The cgi_force_redirect is a configuration directive that prevents anyone from calling directly using a URL. There are servers having cgi_force_redirect as off. The configuration directive cgi_force_redirect prevents anyone from calling PHP directly using a URL. It is necessary to provide security to a server running PHP as a CGI under the server.

Example

The below URL is from a server that didn’t implement cgi_force_redirect.

http://www.testbeagle.com/cgi-bin/php/somerandomdirectory/main_script.php

The below code is the example of redirection in apache configuration.

        Action php-script /cgi-bin/php
        AddHandler php-main_script .php

    

Impact

The impact include:-

  • Possible manipulation of sensitive information
  • Possible leakage of sensitive information
  • The attacker will gain administrator access to the web application

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Enabling cgi_force_redirect. Compile the below code to PHP.
        --enable-force-cgi-redirect

    
  • Updating PHP to the latest version.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.