DerScanner
Home / Vulnerability Database / PHP : Unsafe CGI usage
PHP

PHP : Unsafe CGI usage

Classification

OWASP Top 10 2013
A5-Security Misconfiguration
OWASP Top 10 2017
A6-Security Misconfiguration
OWASP Top 10 2021
A5-Security Misconfiguration
HIPAA
§164.312 (a)(1)§164.312 (d)
CWE
CWE-1031

Overview

The application allows users to run PHP interpreter directly. This could allow an attacker to bypass authentication checks and gain access to protected files on the server.

If the PHP interpreter is installed as a CGI-Library, a Web server usually redirects requests to PHP resources to the interpreter.

Parameter cgi.force_redirect is enabled by default. If it is turned off, an attacker with an access to /cgi-bin/php can use PHP-interpreter permissions to gain access to arbitrary Web documents avoiding verification of access rights, which otherwise are provided by the server.

References

  1. CWE-305: Authentication Bypass by Primary Weakness
  2. OWASP Top 10 2017-A6-Security Misconfiguration
  3. CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control
MEDIUM

DerScanner Severity Score

Do you want to fix PHP : Unsafe CGI usage in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt