Fun with PHP CLI scripts

I've had quite a lot of "fun" with PHP CLI scripts the other day. As you perhaps know, there is an "exec" feature built into mod_security that allows you to execute some external binary in response to a filter match. This was working properly with Perl scripts but not with PHP scripts.

It seems that the problem lies in PHP itself. Apparently, it is designed to work as a CGI engine and as a command line binary at the same time, and uses environment variables to figure out how it was run. So, when it sees a bunch of web-releated environment variables it concludes that it should behave like a CGI script. That alone would not be a problem but then certain security restrictions kick in and script execution just stops.

Finally, after reading the source code for PHP the problem was resolved by simulating REDIRECT_STATUS and PATH_TRANSLATED environment variables from mod_security. Thanks to Shane Lahey who discovered this problem and exchanged countless emails with me until we nailed it down.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.