Accessing any web document on server: http://my.host/cgi-bin/php/secret/doc.html
The path information part of the URL after the PHP binary name,
conventionally used to specify the name of the file to be
opened and interpreted by the CGI program.
Usually some web server configuration directives (Apache:
Action) are used to redirect requests to documents like
http://my.host/secret/script.php to the
PHP interpreter. With this setup, the web server first checks
the access permissions to the directory /secret, and after that creates the
redirected request http://my.host/cgi-bin/php/secret/script.php.
Unfortunately, if the request is originally given in this form,
no access checks are made by web server for file /secret/script.php, but only for the
/cgi-bin/php file. This way
any user able to access /cgi-bin/php is able to access any
protected document on the web server.
In PHP, compile-time configuration option --enable-force-cgi-redirect
and runtime configuration directives doc_root and user_dir can be used to prevent
this attack, if the server document tree has any directories
with access restrictions. See below for full the explanation
of the different combinations.