Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
cgi.force_redirect configuration is bypassable due to the environment variable collision
Vulnerability Description
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
N/A
Vulnerability Title
PHP 安全漏洞
Vulnerability Description
PHP是PHP的一种在服务器端执行的脚本语言。 PHP 8.1.30之前版本、8.2.24之前版本和8.3.12之前版本存在安全漏洞,该漏洞源于配置指令cgi.force_redirect的缺陷,在某些不常见的配置中,攻击者可能绕过此限制直接访问php-cgi。
CVSS Information
N/A
Vulnerability Type
N/A