Security ramifications of cgi.force_redirect=0

 
Post new topic   Reply to topic    Aprelium Forum Index -> PHP
View previous topic :: View next topic  
Author Message
beerslayer
-


Joined: 21 Jan 2004
Posts: 13
Location: Northern California, USA

PostPosted: Sun Feb 10, 2013 1:56 am    Post subject: Security ramifications of cgi.force_redirect=0 Reply with quote

Here's my situation:

I am trying to set up a web application (xoops) on a local Ubuntu ("precise") server running Abyss 2.8 and PHP 5.3.10. I'm seeing a weird problem where part of the URL is being duplicated, resulting in inaccessible pages. I'm led to believe that the cgi.force_redirect option in php.ini may be the culprit (even though I have set REDIRECT_STATUS=200 in the Abyss console - what does this do?).

The php.ini file itself has this setting commented out but claims "Left undefined, PHP turns this on by default. You can turn it off here AT YOUR OWN RISK. **You CAN safely turn this off for IIS, in fact, you MUST.**"

Obviously I'm not using IIS. But the real question for me is: what are the security ramifications of setting cgi.force_redirect=0? How much and what kind of security do I sacrifice by doing this? Is this really likely to be the correct solution?
_________________
"If fifty million people say a foolish thing, it is still a foolish thing." -- Anatole France
Back to top View user's profile Send private message
aprelium-support
-


Joined: 20 Feb 2009
Posts: 356

PostPosted: Mon Feb 11, 2013 4:24 pm    Post subject: Re: Security ramifications of cgi.force_redirect=0 Reply with quote

beerslayer,

This parameter was meant for legacy Apache versions who used an awkward way to invoke PHP scripts. This way was dangerous and this parameter was there to limit the damage.

IIS and modern Web servers including Abyss Web Server "speak" regular CGI and therefore this parameter has to be turned off for proper operation.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> PHP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group