Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2   Go Down

Author Topic: Security Alert! The PHP CGI cannot be accessed directly  (Read 108212 times)

0 Members and 1 Guest are viewing this topic.

nikita

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Security Alert! The PHP CGI cannot be accessed directly
« on: June 13, 2004, 08:10:00 pm »

Hi,

i've recently installed coppermine 1.3 all it's ok i've just one problem when i want to change the langage i've this error :
Quote
Security Alert! The PHP CGI cannot be accessed directly.
This PHP CGI binary was compiled with force-cgi-redirect enabled. This means that a page will only be served up if the REDIRECT_STATUS CGI variable is set, e.g. via an Apache Action directive.
For more information as to why this behaviour exists, see the manual page for CGI security.
For more information about changing this behaviour or re-enabling this webserver, consult the installation file that came with this distribution, or visit the manual page.

I suppose the problem is from the web server  :( i don't think he will change that  :-\\ so is there something i can change in the code to correct this problem ?

Thanks and sorry for mistake in the langage  ;)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #1 on: June 17, 2004, 01:19:08 pm »

link?
Logged

nikita

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #3 on: June 20, 2004, 12:37:50 am »

http://www.smiley-sanctuary.com/coppermine/?lang=english works as suggested - I can't see any issue with languages. Your gallery appears to be broken somehow anyway - the thumbs at the bottom show red crosses. Fix this first, probably a permission (CHMOD) issue imo.

GauGau
Logged

nikita

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #4 on: June 20, 2004, 08:51:09 am »

Hi,

thanks for your answer,

Quote
Your gallery appears to be broken somehow anyway
it's normal i just removed picture file from my server (no enough space).

Quote
I can't see any issue with languages
The problem appears when i use the langage list, when i choose a langage (english for example) it's linking to this adress : http://www.smiley-sanctuary.com/cgi-bin/php.cgi?lang=english

 ;)
Logged

Casper

  • VIP
  • Coppermine addict
  • ***
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 5231
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #5 on: June 20, 2004, 02:03:55 pm »

it's normal i just removed picture file from my server (no enough space).

It's not normal.  It makes the gallery look bad, and leaves the database full of out of date information.
You should not just delete from the server by ftp, but you should use the delete functions in coppermine, then this will not happen.
Logged
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #6 on: June 20, 2004, 03:54:21 pm »

What do you have in your config for "Target address for the 'See more pictures' link in e-cards"?

GauGau
Logged

nikita

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #7 on: June 20, 2004, 10:55:56 pm »

Quote
It's not normal.  It makes the gallery look bad, and leaves the database full of out of date information.
You should not just delete from the server by ftp, but you should use the delete functions in coppermine, then this will not happen.
it's just a test gallery the problem was it before  :\'( after i would have solved this problem i will clean my gallery  ;D

Quote
What do you have in your config for "Target address for the 'See more pictures' link in e-cards"?
at first i had http://www.smiley-sanctuary.com/coppermine/ i have tested with http://www.smiley-sanctuary.com/  + http://www.smiley-sanctuary.com/coppermine/?lang=english same problem  :\'(

I agree http://www.smiley-sanctuary.com/coppermine/?lang=english is working but when i select a langage from the list it goes to http://www.smiley-sanctuary.com/cgi-bin/php.cgi?lang=english  ??? ??? ???

thanks again
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #8 on: June 21, 2004, 12:43:43 am »

check phpinfo (admin tools): what does it say for $_SERVER["SCRIPT_NAME"]?

GauGau
Logged

nikita

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #9 on: June 21, 2004, 08:40:55 am »

hi,

nothing with $_SERVER["SCRIPT_NAME"] but i've SCRIPT_NAME  : /cgi-bin/php.cgi

is it that you want  ??? ?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #10 on: June 21, 2004, 09:24:17 am »

Yes, this means your server is set up improperly. If it yours to administer, change this. If you're webhosted, ask the server admin to change this for you.
If both fail, edit include/init.inc.php and find
Code: [Select]
$PHP_SELF = isset($HTTP_SERVER_VARS['REDIRECT_URL']) ? $HTTP_SERVER_VARS['REDIRECT_URL'] : $HTTP_SERVER_VARS['SCRIPT_NAME'];Replace $HTTP_SERVER_VARS['SCRIPT_NAME'] with a server var that actually exists on your server.

GauGau
Logged

nikita

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #11 on: June 21, 2004, 09:31:44 am »

thanks, i'm webhosted i'll ask to him if he can change this, if not do you think i can modify something in the script  ???

for example give this king of link to the list : http://www.smiley-sanctuary.com/coppermine/?lang=english

thanks  ;D
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #12 on: June 21, 2004, 09:35:29 am »

I don't understand, please re-phrase.

GauGau
Logged

nikita

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #13 on: June 21, 2004, 09:41:22 am »

ok   :P

the problem is when i select a langage in the list it goes to the wrong url, i just want to know if i can modify it and give it this url http://www.smiley-sanctuary.com/coppermine/?lang=english who works  ?

Thanks and sorry for my weird english  :D
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #14 on: June 21, 2004, 10:12:26 am »

That's what we're trying to do: we're trying to solve your issue with the language selectors. To do so, we need to correct the improper server setup. My last advice was to replace the improperly defined var in
Code: [Select]
$PHP_SELF = isset($HTTP_SERVER_VARS['REDIRECT_URL']) ? $HTTP_SERVER_VARS['REDIRECT_URL'] : $HTTP_SERVER_VARS['SCRIPT_NAME'];. Please do as suggested.

GauGau
Logged

nikita

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #15 on: June 21, 2004, 12:24:00 pm »

ok done,

- my administer can't modify SCRIPT_NAME : /cgi-bin/php.cgi   :\'(

- but he asked me : what the script want to do when it uses SCRIPT NAME ?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #16 on: June 21, 2004, 02:27:34 pm »

Check the phpinfo ( http://yourdomain.tld/your_coppermine_folder/phpinfo.php ) - especially the section "PHP Variables". There should be a server var, like $PHP_SELF, $_SERVER["SCRIPT_URI"], $_SERVER["SCRIPT_URL"]. Check if any of those vars display have something like /your_coppermine_folder/phpinfo.php or http://yourdomain.tld/your_coppermine_folder/phpinfo.php as value and change post back here.

GauGau
Logged

nikita

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #17 on: June 21, 2004, 03:29:18 pm »

I've something like that :

- PHP_SELF = /phpinfo.php
- _SERVER["SCRIPT_FILENAME"] = /php/s/smileysa/php.cgi


Quote
PHP Variables
Variable Value
PHP_SELF  /phpinfo.php  
_REQUEST["lang"] french
_REQUEST["phpbb2mysql_data"] a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:1:\"9\";}
_REQUEST["nuke_nuke_cpg_nuke_data"] YTo1OntzOjI6IklEIjtzOjMyOiJkZjRmOGQyYjg2M2NmNjViZDRkZTNhMWM3MzNmMDlhNyI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo2OiJmcmVuY2giO3M6MzoibGl2IjthOjQ6e2k6MDtzOjM6IjE1NSI7aToxO3M6NDoiMjkwMyI7aToyO3M6NDoiMjkwNCI7aTozO3M6NDoiMjc4OCI7fXM6Njoic2VhcmNoIjtzOjEwOiJSYWxhbWFudGlzIjt9
_REQUEST["cpg130_data"] YTo2OntzOjI6IklEIjtzOjMyOiI5NmRlMzQ0OTFhNWQzMzU5NGFjMzY2ZDFjOTlhYzg5YiI7czoyOiJhbSI7aToxO3M6MzoibGl2IjthOjU6e2k6MDtzOjM6IjIyMCI7aToxO3M6MzoiMTg5IjtpOjI7czo0OiIyNTY3IjtpOjM7czozOiIxNzkiO2k6NDtzOjM6IjE4MiI7fXM6Njoic2VhcmNoIjtzOjU6IkhvdXNlIjtzOjM6ImxhcCI7aToxO3M6NDoibGFuZyI7czo2OiJmcmVuY2giO30=
_REQUEST["cpg130_uid"] 1
_REQUEST["cpg130_pass"] edf6f38dec4d68e43d05aaba6a6586bc
_REQUEST["user"] OTphZG1pbjplOTcyMDM1MDA0NGRjMGE1YWQ4N2M0ZTNiOThmNzhjZjoxMDo6MDowOjA6MDo6NDA5Ng==
_REQUEST["admin"] YWRtaW46OTdjMTljOWQxYzU4NDEzYTY5MmI0ODc5MmEwZGNmZDU6
_SERVER["PATH"] /usr/local/bin:/usr/bin:/bin
_SERVER["DOCUMENT_ROOT"] /home/s/smileysa/www
_SERVER["HTTP_ACCEPT"] image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
_SERVER["HTTP_ACCEPT_ENCODING"] gzip, deflate
_SERVER["HTTP_ACCEPT_LANGUAGE"] fr
_SERVER["HTTP_CONNECTION"] Keep-Alive
_SERVER["HTTP_HOST"] www.smiley-sanctuary.com
_SERVER["HTTP_USER_AGENT"] Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
_SERVER["REDIRECT_STATUS"] 200
_SERVER["REDIRECT_URL"] /phpinfo.php
_SERVER["REMOTE_ADDR"] 82.226.155.17
_SERVER["REMOTE_PORT"] 2338
_SERVER["SCRIPT_FILENAME"] /php/s/smileysa/php.cgi
_SERVER["SERVER_ADDR"] 192.168.1.11
_SERVER["SERVER_ADMIN"] tech@webheberg.com
_SERVER["SERVER_NAME"] www.smiley-sanctuary.com
_SERVER["SERVER_PORT"] 80
_SERVER["SERVER_SOFTWARE"] Apache/1.3.29 (Unix) mod_gzip/1.3.26.1a
_SERVER["UNIQUE_ID"] QNbfkcCoAQsAAFSKAjQ
_SERVER["GATEWAY_INTERFACE"] CGI/1.1
_SERVER["SERVER_PROTOCOL"] HTTP/1.1
_SERVER["REQUEST_METHOD"] GET
_SERVER["QUERY_STRING"] no value
_SERVER["REQUEST_URI"] /phpinfo.php
_SERVER["SCRIPT_NAME"] /cgi-bin/php.cgi
_SERVER["PATH_INFO"] /phpinfo.php
_SERVER["PATH_TRANSLATED"] /home/s/smileysa/www/phpinfo.php
_SERVER["PHP_SELF"] /phpinfo.php
Logged

hyperion

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 1317
  • - retired -
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #18 on: June 22, 2004, 02:26:07 am »

In include/init.inc.php, change $PHP_SELF to:

Code: [Select]
$PHP_SELF = $_SERVER['PHP_SELF'];

@GauGau,

I've noticed that this is the only self variable that the PHP-CGI binaries seem to create. It might be a good idea to put a note for PHP-CGI users in the documentation.
Logged
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(http://www.mozilla.org/products/firefox/buttons/getfirefox_small.png)

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security Alert! The PHP CGI cannot be accessed directly
« Reply #19 on: June 22, 2004, 08:01:53 am »

@Hyperion: OK, please do so.

GauGau
Logged
Pages: [1] 2   Go Up
 

Page created in 0.069 seconds with 20 queries.