PHP CGI and a Security problem.

Problems with the Windows version of XAMPP, questions, comments, and anything related.

PHP CGI and a Security problem.

Postby magus1011 » 06. March 2009 22:37

I'm on Windows XP SP3 and just installed XAMPP 1.7.0 using the installer. I have not edited any of the ini files. I did not activate FileZilla (no need for FTP uploads) or Mercury Mail (my ISP blocks the POP3 port). As per the readme, I went to the Security page and filled out the password prompts.

On the Status page in "http://127.0.0.1/xampp/" I show:

    MySQL database ACTIVATED
    PHP ACTIVATED
    HTTPS (SSL) ACTIVATED
    Common Gateway Interface (CGI) ACTIVATED
    Server Side Includes (SSI) ACTIVATED
    SMTP Service DEACTIVATED
    FTP Service DEACTIVATED
I now have two problems. :cry:

The first is that I can no longer access the Security page, I get an Error 403, Access Forbiden! error. My error.log file shows:

    [Fri Mar 06 14:11:02 2009] [notice] Digest: generating secret for digest authentication ...
    [Fri Mar 06 14:11:02 2009] [notice] Digest: done
    [Fri Mar 06 14:11:03 2009] [notice] Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.8 configured -- resuming normal operations
    [Fri Mar 06 14:11:03 2009] [notice] Server built: Dec 10 2008 00:10:06
    [Fri Mar 06 14:11:03 2009] [notice] Parent: Created child process 5504
    [Fri Mar 06 14:11:04 2009] [notice] Digest: generating secret for digest authentication ...
    [Fri Mar 06 14:11:04 2009] [notice] Digest: done
    [Fri Mar 06 14:11:04 2009] [notice] Child 5504: Child process is running
    [Fri Mar 06 14:11:04 2009] [notice] Child 5504: Acquired the start mutex.
    [Fri Mar 06 14:11:04 2009] [notice] Child 5504: Starting 250 worker threads.
    [Fri Mar 06 14:11:04 2009] [notice] Child 5504: Starting thread to listen on port 443.
    [Fri Mar 06 14:11:04 2009] [notice] Child 5504: Starting thread to listen on port 80.
    [Fri Mar 06 14:11:26 2009] [error] [client 127.0.0.1] client denied by server configuration: D:/xampp/security/htdocs/lang.php, referer: http://127.0.0.1/xampp/navi.php
and my access.log file shows:

    127.0.0.1 - - [06/Mar/2009:14:34:03 -0600] "GET / HTTP/1.1" 302 -
    127.0.0.1 - magus [06/Mar/2009:14:34:03 -0600] "GET /xampp/ HTTP/1.1" 200 604
    127.0.0.1 - magus [06/Mar/2009:14:34:03 -0600] "GET /xampp/head.php HTTP/1.1" 200 1393
    127.0.0.1 - magus [06/Mar/2009:14:34:03 -0600] "GET /xampp/navi.php HTTP/1.1" 200 4070
    127.0.0.1 - magus [06/Mar/2009:14:34:03 -0600] "GET /xampp/start.php HTTP/1.1" 200 1074
    http://www.007guard.com - - [06/Mar/2009:14:36:09 -0600] "GET /security/lang.php?en HTTP/1.1" 403 1108
The second problem is that I get a Server Error whenever I attempt to execute a PHP CGI script that is located in /xampp/cgi-bin as http://127.0.0.1/cgi-bin/phptest.php. I did a search on this board for "cgi*" and tried some of the solutions but none worked. My access.log file is:

    127.0.0.1 - - [06/Mar/2009:14:43:05 -0600] "GET /cgi-bin/phptest.php HTTP/1.1" 500 1142
and my error.log file is:

    [Fri Mar 06 14:42:09 2009] [notice] Digest: generating secret for digest authentication ...
    [Fri Mar 06 14:42:09 2009] [notice] Digest: done
    [Fri Mar 06 14:42:10 2009] [notice] Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.8 configured -- resuming normal operations
    [Fri Mar 06 14:42:10 2009] [notice] Server built: Dec 10 2008 00:10:06
    [Fri Mar 06 14:42:10 2009] [notice] Parent: Created child process 4908
    [Fri Mar 06 14:42:10 2009] [notice] Digest: generating secret for digest authentication ...
    [Fri Mar 06 14:42:10 2009] [notice] Digest: done
    [Fri Mar 06 14:42:11 2009] [notice] Child 4908: Child process is running
    [Fri Mar 06 14:42:11 2009] [notice] Child 4908: Acquired the start mutex.
    [Fri Mar 06 14:42:11 2009] [notice] Child 4908: Starting 250 worker threads.
    [Fri Mar 06 14:42:11 2009] [notice] Child 4908: Starting thread to listen on port 443.
    [Fri Mar 06 14:42:11 2009] [notice] Child 4908: Starting thread to listen on port 80.
    [Fri Mar 06 14:43:05 2009] [error] [client 127.0.0.1] D:/xampp/cgi-bin/phptest.php is not executable; ensure interpreted scripts have "#!" first line
    [Fri Mar 06 14:43:05 2009] [error] [client 127.0.0.1] (9)Bad file descriptor: don't know how to spawn child process: D:/xampp/cgi-bin/phptest.php
The cgi I'm trying to execute is:

    <?php phpinfo(); ?>
Why I want to execute it from the cgi-bin directory is simple, I'm restricted to using that directory and the PHP language on the server that the pages will eventually be located on. The ISP's system operator was kind enough to provide the necessary source code for the real PHP script I'm to call under a non-disclosure agreement, and even the recommendation to use XAMPP for development.

I'm hoping someone will have a solution for these problems for which I thank you in advance. Should you need any more information in the way of listings or such please feel free to ask.

Thank you for your help.

--
Best Regards,
    Magus1011.
magus1011
 
Posts: 2
Joined: 06. March 2009 20:43

Re: PHP CGI and a Security problem.

Postby Izzy » 07. March 2009 11:10

The first is that I can no longer access the Security page
Go to xampp\apache\conf\extra\ and open httpd-xampp.conf file in your text editor and look for 2 instances of Allow from localhost and change them to Allow from 127.0.0.1 then save the file and restart Apache - clear your browser's cache and try the security URI again.


D:/xampp/cgi-bin/phptest.php is not executable;
Exactly what the error message tells you that a php file is not an executable cgi script is it is a parsed script by the Apache server.

So put your file in the htdocs folder and call it in your browser http://localhost/phptest.php and it will work.

Look in the cgi-bin as there are 2 or 3 examples of cgi scripts and can be called from http://localhost/cgi-bin/perltest.cgi or http://localhost/cgi-bin/printenv.pl check out the difference in the code between perl and php and you will be somewhat enlightened.

BTW there is already a phpinfo() file in XAMPP at http://localhost/xampp/phpinfo.php


Why I want to execute it from the cgi-bin directory is simple, I'm restricted to using that directory and the PHP language on the server that the pages will eventually be located on. The ISP's system operator was kind enough to provide the necessary source code for the real PHP script I'm to call under a non-disclosure agreement, and even the recommendation to use XAMPP for development.
Then they should also provide instructions to enable you to do what they want you to do in XAMPP with php in a cgi-bin under a non disclosure agreement - PHP is compiled in XAMPP as an Apache module not as a cgi.
http://us3.php.net/security.cgi-bin
http://docs.joomla.org/Should_PHP_run_a ... _module%3F
Last edited by Izzy on 12. March 2009 08:32, edited 1 time in total.
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Re: PHP CGI and a Security problem.

Postby magus1011 » 07. March 2009 21:34

Thank you Izzy for the solution to the first problem. :D

So put your file in the htdocs folder and call it in your browser http://localhost/phptest.php and it will work.

I wish. :cry: It errors out on file opens. Inspection of the source indicates that it should do this since the files are not where they are expected to be. They are off by the difference between \cgi-bin and \htdocs.

D:/xampp/cgi-bin/phptest.php is not executable;
Exactly what the error message tells you that a php file is not an executable cgi script is it is a parsed script by the Apache server.

Yep. I forgot the shebang line. When I add it I get a whole bunch of other errors:

    [Sat Mar 07 10:30:45 2009] [notice] Digest: generating secret for digest authentication ...
    [Sat Mar 07 10:30:45 2009] [notice] Digest: done
    [Sat Mar 07 10:30:46 2009] [notice] Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.8 configured -- resuming normal operations
    [Sat Mar 07 10:30:46 2009] [notice] Server built: Dec 10 2008 00:10:06
    [Sat Mar 07 10:30:46 2009] [notice] Parent: Created child process 5184
    [Sat Mar 07 10:30:46 2009] [notice] Digest: generating secret for digest authentication ...
    [Sat Mar 07 10:30:46 2009] [notice] Digest: done
    [Sat Mar 07 10:30:47 2009] [notice] Child 5184: Child process is running
    [Sat Mar 07 10:30:47 2009] [notice] Child 5184: Acquired the start mutex.
    [Sat Mar 07 10:30:47 2009] [notice] Child 5184: Starting 250 worker threads.
    [Sat Mar 07 10:30:47 2009] [notice] Child 5184: Starting thread to listen on port 443.
    [Sat Mar 07 10:30:47 2009] [notice] Child 5184: Starting thread to listen on port 80.
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1] Premature end of script headers: phptest.php
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1] <b>Security Alert!</b> The PHP CGI cannot be accessed directly.
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1]
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1] <p>This PHP CGI binary was compiled with force-cgi-redirect enabled. This
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1] means that a page will only be served up if the REDIRECT_STATUS CGI variable is
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1] set, e.g. via an Apache Action directive.</p>
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1] <p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p>
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1] <p>For more information about changing this behaviour or re-enabling this webserver,
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1] consult the installation file that came with this distribution, or visit
    [Sat Mar 07 10:30:56 2009] [error] [client 127.0.0.1] <a href="http://php.net/install.windows">the manual page</a>.</p>
I tried the solutions mentioned on the manual pages with no luck. I could not figure out how to use the Apache Action directive to set the REDIRECT_STATUS CGI variable as Apache is very new to me. I'm used to Xitami.

Look in the cgi-bin as there are 2 or 3 examples of cgi scripts and can be called from http://localhost/cgi-bin/perltest.cgi or http://localhost/cgi-bin/printenv.pl check out the difference in the code between perl and php and you will be somewhat enlightened.

If by "somewhat enlightened" you mean that I'll remember to add the shebang line, you're right! :D If you mean that I'll discover that Perl is different from PHP, I already know that and have known it for many years. Both languages have their place and function and both languages are useful. I'm a "language agnostic" with a definite preference for Assembly Language, C, Perl, PHP and PureBasic; a definite dislike based on years of experience with COBOL and PL\I; and a definite dislike of C++, Python, C# and several other languages based on their inability to model the way I think.

BTW there is already a phpinfo() file in XAMPP at http://localhost/xampp/phpinfo.php

Yes, being a lazy programmer that's where I copied my test example from. :lol:

Why I want to execute it from the cgi-bin directory is simple, I'm restricted to using that directory and the PHP language on the server that the pages will eventually be located on. The ISP's system operator was kind enough to provide the necessary source code for the real PHP script I'm to call under a non-disclosure agreement, and even the recommendation to use XAMPP for development.

Then they should also provide instructions to enable you to do what they want you to do in XAMPP with php in a cgi-bin under a non disclosure agreement - PHP is compiled in XAMPP as an Apache module not as a cgi.
http://us3.php.net/security.cgi-bin
http://docs.joomla.org/Should_PHP_run_a ... _module%3F

I went to the joomla pages and tried its solutions and found no happiness. I'd already been to the php.net pages earlier again with no happiness.

When I spoke to the system operator again after all this he pointed out that expecting him to provide support for an XAMPP problem was "irrational" since the problem isn't his it's XAMPP's. So I'm stuck between two people pointing fingers at each other and I still have no solution to this problem.

Your help is much appreciated. I would like to thank you in advance for your help clearing up this CGI problem.
--
Best regards,
Magus1011
magus1011
 
Posts: 2
Joined: 06. March 2009 20:43


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 44 guests