Weblog

Yesterday, someone pointed out to me that the default PHP configuration contains an insecure setting when using PHP in FastCGI mode. Because FastCGI is the recommended mode for PHP when using Hiawatha, it's important to change this setting.

It's about the cgi.fix_pathinfo setting in php.ini. The default setting is '1', but this should be set to '0'. Otherwise, this could lead to a security issue. If your website allows users to upload files, for example images, an attacker could upload a PHP script with the name 'image.jpg'. If it the file is requested via /image.jpg, the file is uploaded. But if the file is requested via /image.jpg/bla.php, the file is executed.

The reason this is possible is because Hiawatha doesn't check for the existence of /image.jpg/bla.php. Since a FastCGI server could be located on a remote server or running in a chroot environment, Hiawatha isn't always capable of checking for it. When cgi.fix_pathinfo is set to '1', PHP is allowed to do PATH_INFO related filename translation. When set to '0', PHP doesn't do this.

PHP does this filename translation in order to make URL's like /index.php/some/paramenter possible. Personally, I think this whole PATH_INFO stuff is ugly and really outdated. We have URL rewriting for that. To make PATH_INFO possible in Hiawatha, I had to do stuff that feels more like a hack than clean code. I really hope we can consider PATH_INFO depricated very soon, but I think we will be seeing this weird technique for a long time.