Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Fun with PHP CLI scripts

I've had quite a lot of "fun" with PHP CLI scripts the other day. As you perhaps know, there is an "exec" feature built into mod_security that allows you to execute some external binary in response to a filter match. This was working properly with Perl scripts but not with PHP scripts.

It seems that the problem lies in PHP itself. Apparently, it is designed to work as a CGI engine and as a command line binary at the same time, and uses environment variables to figure out how it was run. So, when it sees a bunch of web-releated environment variables it concludes that it should behave like a CGI script. That alone would not be a problem but then certain security restrictions kick in and script execution just stops.

Finally, after reading the source code for PHP the problem was resolved by simulating REDIRECT_STATUS and PATH_TRANSLATED environment variables from mod_security. Thanks to Shane Lahey who discovered this problem and exchanged countless emails with me until we nailed it down.