Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3335

"cgi.force_redirect" should be enabled

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Remove this configuration disabling "cgi.force_redirect".
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Covered Languages:
      PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      2min
    • CWE:
      CWE-305
    • OWASP:
      A6

      Description

      The cgi.force_redirect php.ini configuration is on by default, and it prevents unauthenticated access to scripts when PHP is running as a CGI. Unfortunately, it must be disabled on IIS, OmniHTTPD and Xitami, but in all other cases it should be on.

      This rule raises an issue when when cgi.force_redirect is explicitly disabled.

      Noncompliant Code Example

      ; php.ini
      cgi.force_redirect=0  ; Noncompliant
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: