16 September 2011, 07:43

Yesterday, someone pointed out to me that the default PHP configuration contains an insecure setting when using PHP in FastCGI mode. Because FastCGI is the recommended mode for PHP when using Hiawatha, it's important to change this setting.

It's about the cgi.fix_pathinfo setting in php.ini. The default setting is '1', but this should be set to '0'. Otherwise, this could lead to a security issue. If your website allows users to upload files, for example images, an attacker could upload a PHP script with the name 'image.jpg'. If it the file is requested via /image.jpg, the file is uploaded. But if the file is requested via /image.jpg/bla.php, the file is executed.

The reason this is possible is because Hiawatha doesn't check for the existence of /image.jpg/bla.php. Since a FastCGI server could be located on a remote server or running in a chroot environment, Hiawatha isn't always capable of checking for it. When cgi.fix_pathinfo is set to '1', PHP is allowed to do PATH_INFO related filename translation. When set to '0', PHP doesn't do this.

PHP does this filename translation in order to make URL's like /index.php/some/paramenter possible. Personally, I think this whole PATH_INFO stuff is ugly and really outdated. We have URL rewriting for that. To make PATH_INFO possible in Hiawatha, I had to do stuff that feels more like a hack than clean code. I really hope we can consider PATH_INFO depricated very soon, but I think we will be seeing this weird technique for a long time.

Chris Wadge
16 September 2011, 07:58
Nice catch, thanks for publicizing this.
16 September 2011, 15:48
not using php in cgi mode, but fixed the config file just in case. Thanks for the heads-up.
16 September 2011, 15:51
Thanks for sharing the security info.
17 September 2011, 04:24
Thanks for the info and nice explanation
17 September 2011, 13:05
So cgi.fix_pathinfo will be set to '0' in php.ini from now on.
Thanks a lot for reporting.
16 December 2011, 04:13
That insight's just what I've been liookng for. Thanks!