Security Alert! The PHP CGI cannot be accessed directly...

Good Day;

I just performed an install of PHP 4.3.10 using the "php.ini-recommended" on
IIS6 and was getting:

"Security Alert! The PHP CGI cannot be accessed directly.
This PHP CGI binary was compiled with force-cgi-redirect
enabled. This means that a page will only be served up if the
REDIRECT_STATUS CGI variable is set, e.g. via an
Apache Action directive."

After some research and talking to some php programmer buddies, the solution
seemed to be to add the following to the php.ini :
cgi.force_redirect = 0
cgi.redirect_status_env ="yes";

http://codewalkers.com/archives/phphelp/211.html

Now my server functions but I am concerned with potential security problems.
The INI file and the on-line manual state that REDIRECT_STATUS relates to
Apache only and infers that it may be a serious security risk on other web
servers.

Note that in addition to adding PHP.EXE into the "APPLICATION CONFIGURATION"
of a specific virtual server, I also had to add it into the WEB SERVER
EXTENTIONS on the IIS6 server. This step was not documented in the PHP
manuals I reviewed but it was required.

Any explaination as to what these settings do and whether I have exposed my
customers systems would be appreciated.

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php