Security Alert! The PHP CGI cannot be accessed directly Security Alert! The PHP CGI cannot be accessed directly
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security Alert! The PHP CGI cannot be accessed directly

Started by nikita, June 13, 2004, 08:10:00 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

nikita

Hi,

i've recently installed coppermine 1.3 all it's ok i've just one problem when i want to change the langage i've this error :
QuoteSecurity Alert! The PHP CGI cannot be accessed directly.
This PHP CGI binary was compiled with force-cgi-redirect enabled. This means that a page will only be served up if the REDIRECT_STATUS CGI variable is set, e.g. via an Apache Action directive.
For more information as to why this behaviour exists, see the manual page for CGI security.
For more information about changing this behaviour or re-enabling this webserver, consult the installation file that came with this distribution, or visit the manual page.

I suppose the problem is from the web server  :( i don't think he will change that  :-\\ so is there something i can change in the code to correct this problem ?

Thanks and sorry for mistake in the langage  ;)

Joachim Müller



Joachim Müller

http://www.smiley-sanctuary.com/coppermine/?lang=english works as suggested - I can't see any issue with languages. Your gallery appears to be broken somehow anyway - the thumbs at the bottom show red crosses. Fix this first, probably a permission (CHMOD) issue imo.

GauGau

nikita

Hi,

thanks for your answer,

QuoteYour gallery appears to be broken somehow anyway
it's normal i just removed picture file from my server (no enough space).

QuoteI can't see any issue with languages
The problem appears when i use the langage list, when i choose a langage (english for example) it's linking to this adress : http://www.smiley-sanctuary.com/cgi-bin/php.cgi?lang=english

;)

Casper

Quote from: nikita on June 20, 2004, 08:51:09 AM
it's normal i just removed picture file from my server (no enough space).

It's not normal.  It makes the gallery look bad, and leaves the database full of out of date information.
You should not just delete from the server by ftp, but you should use the delete functions in coppermine, then this will not happen.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Joachim Müller

What do you have in your config for "Target address for the 'See more pictures' link in e-cards"?

GauGau

nikita

QuoteIt's not normal.  It makes the gallery look bad, and leaves the database full of out of date information.
You should not just delete from the server by ftp, but you should use the delete functions in coppermine, then this will not happen.
it's just a test gallery the problem was it before  :\'( after i would have solved this problem i will clean my gallery  ;D

QuoteWhat do you have in your config for "Target address for the 'See more pictures' link in e-cards"?
at first i had http://www.smiley-sanctuary.com/coppermine/ i have tested with http://www.smiley-sanctuary.com/  + http://www.smiley-sanctuary.com/coppermine/?lang=english same problem  :\'(

I agree http://www.smiley-sanctuary.com/coppermine/?lang=english is working but when i select a langage from the list it goes to http://www.smiley-sanctuary.com/cgi-bin/php.cgi?lang=english  ??? ??? ???

thanks again

Joachim Müller

check phpinfo (admin tools): what does it say for $_SERVER["SCRIPT_NAME"]?

GauGau

nikita

hi,

nothing with $_SERVER["SCRIPT_NAME"] but i've SCRIPT_NAME  : /cgi-bin/php.cgi

is it that you want  ??? ?

Joachim Müller

Yes, this means your server is set up improperly. If it yours to administer, change this. If you're webhosted, ask the server admin to change this for you.
If both fail, edit include/init.inc.php and find $PHP_SELF = isset($HTTP_SERVER_VARS['REDIRECT_URL']) ? $HTTP_SERVER_VARS['REDIRECT_URL'] : $HTTP_SERVER_VARS['SCRIPT_NAME'];Replace $HTTP_SERVER_VARS['SCRIPT_NAME'] with a server var that actually exists on your server.

GauGau

nikita

thanks, i'm webhosted i'll ask to him if he can change this, if not do you think i can modify something in the script  ???

for example give this king of link to the list : http://www.smiley-sanctuary.com/coppermine/?lang=english

thanks  ;D

Joachim Müller


nikita

ok   :P

the problem is when i select a langage in the list it goes to the wrong url, i just want to know if i can modify it and give it this url http://www.smiley-sanctuary.com/coppermine/?lang=english who works  ?

Thanks and sorry for my weird english  :D

Joachim Müller

That's what we're trying to do: we're trying to solve your issue with the language selectors. To do so, we need to correct the improper server setup. My last advice was to replace the improperly defined var in $PHP_SELF = isset($HTTP_SERVER_VARS['REDIRECT_URL']) ? $HTTP_SERVER_VARS['REDIRECT_URL'] : $HTTP_SERVER_VARS['SCRIPT_NAME'];. Please do as suggested.

GauGau

nikita

ok done,

- my administer can't modify SCRIPT_NAME : /cgi-bin/php.cgi   :\'(

- but he asked me : what the script want to do when it uses SCRIPT NAME ?

Joachim Müller

Check the phpinfo ( http://yourdomain.tld/your_coppermine_folder/phpinfo.php ) - especially the section "PHP Variables". There should be a server var, like $PHP_SELF, $_SERVER["SCRIPT_URI"], $_SERVER["SCRIPT_URL"]. Check if any of those vars display have something like /your_coppermine_folder/phpinfo.php or http://yourdomain.tld/your_coppermine_folder/phpinfo.php as value and change post back here.

GauGau

nikita

I've something like that :

- PHP_SELF = /phpinfo.php
- _SERVER["SCRIPT_FILENAME"] = /php/s/smileysa/php.cgi


QuotePHP Variables
Variable Value
PHP_SELF  /phpinfo.php  
_REQUEST["lang"] french
_REQUEST["phpbb2mysql_data"] a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:1:\"9\";}
_REQUEST["nuke_nuke_cpg_nuke_data"] YTo1OntzOjI6IklEIjtzOjMyOiJkZjRmOGQyYjg2M2NmNjViZDRkZTNhMWM3MzNmMDlhNyI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo2OiJmcmVuY2giO3M6MzoibGl2IjthOjQ6e2k6MDtzOjM6IjE1NSI7aToxO3M6NDoiMjkwMyI7aToyO3M6NDoiMjkwNCI7aTozO3M6NDoiMjc4OCI7fXM6Njoic2VhcmNoIjtzOjEwOiJSYWxhbWFudGlzIjt9
_REQUEST["cpg130_data"] YTo2OntzOjI6IklEIjtzOjMyOiI5NmRlMzQ0OTFhNWQzMzU5NGFjMzY2ZDFjOTlhYzg5YiI7czoyOiJhbSI7aToxO3M6MzoibGl2IjthOjU6e2k6MDtzOjM6IjIyMCI7aToxO3M6MzoiMTg5IjtpOjI7czo0OiIyNTY3IjtpOjM7czozOiIxNzkiO2k6NDtzOjM6IjE4MiI7fXM6Njoic2VhcmNoIjtzOjU6IkhvdXNlIjtzOjM6ImxhcCI7aToxO3M6NDoibGFuZyI7czo2OiJmcmVuY2giO30=
_REQUEST["cpg130_uid"] 1
_REQUEST["cpg130_pass"] edf6f38dec4d68e43d05aaba6a6586bc
_REQUEST["user"] OTphZG1pbjplOTcyMDM1MDA0NGRjMGE1YWQ4N2M0ZTNiOThmNzhjZjoxMDo6MDowOjA6MDo6NDA5Ng==
_REQUEST["admin"] YWRtaW46OTdjMTljOWQxYzU4NDEzYTY5MmI0ODc5MmEwZGNmZDU6
_SERVER["PATH"] /usr/local/bin:/usr/bin:/bin
_SERVER["DOCUMENT_ROOT"] /home/s/smileysa/www
_SERVER["HTTP_ACCEPT"] image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
_SERVER["HTTP_ACCEPT_ENCODING"] gzip, deflate
_SERVER["HTTP_ACCEPT_LANGUAGE"] fr
_SERVER["HTTP_CONNECTION"] Keep-Alive
_SERVER["HTTP_HOST"] www.smiley-sanctuary.com
_SERVER["HTTP_USER_AGENT"] Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
_SERVER["REDIRECT_STATUS"] 200
_SERVER["REDIRECT_URL"] /phpinfo.php
_SERVER["REMOTE_ADDR"] 82.226.155.17
_SERVER["REMOTE_PORT"] 2338
_SERVER["SCRIPT_FILENAME"] /php/s/smileysa/php.cgi
_SERVER["SERVER_ADDR"] 192.168.1.11
_SERVER["SERVER_ADMIN"] tech@webheberg.com
_SERVER["SERVER_NAME"] www.smiley-sanctuary.com
_SERVER["SERVER_PORT"] 80
_SERVER["SERVER_SOFTWARE"] Apache/1.3.29 (Unix) mod_gzip/1.3.26.1a
_SERVER["UNIQUE_ID"] QNbfkcCoAQsAAFSKAjQ
_SERVER["GATEWAY_INTERFACE"] CGI/1.1
_SERVER["SERVER_PROTOCOL"] HTTP/1.1
_SERVER["REQUEST_METHOD"] GET
_SERVER["QUERY_STRING"] no value
_SERVER["REQUEST_URI"] /phpinfo.php
_SERVER["SCRIPT_NAME"] /cgi-bin/php.cgi
_SERVER["PATH_INFO"] /phpinfo.php
_SERVER["PATH_TRANSLATED"] /home/s/smileysa/www/phpinfo.php
_SERVER["PHP_SELF"] /phpinfo.php

hyperion

In include/init.inc.php, change $PHP_SELF to:


$PHP_SELF = $_SERVER['PHP_SELF'];


@GauGau,

I've noticed that this is the only self variable that the PHP-CGI binaries seem to create. It might be a good idea to put a note for PHP-CGI users in the documentation.
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.mozilla.org%2Fproducts%2Ffirefox%2Fbuttons%2Fgetfirefox_small.png&hash=9f6d645801cbc882a52f0ee76cfeda02625fc537)

Joachim Müller