Perl CGI script pass request to PHP

Question

Trying to make a simple Perl script that looks at a GET parameter to determine which php version to use, and then pass on the request. Here is the whole script:

#!/usr/bin/perl
use FCGI;

$cnt = 0;
local ($buffer, @pairs, $pair, $name, $value);

while(FCGI::accept >= 0){
  $php = "php";

  $ENV{PHP_FCGI_CHILDREN}=3;
  $ENV{PHP_FCGI_MAX_REQUESTS}=5000;
  $buffer = $ENV{'QUERY_STRING'};
  @pairs = split(/&/, $buffer);
  foreach $pair (@pairs) {
    ($name, $value) = split(/=/, $pair);
    if($name == "php") {
      $php = "php".$value;
    }
  }
  print "Content-Type: text/html\r\n\r\n";
  print `$php $ENV{PATH_TRANSLATED}`;
}

The idea is that the PHP version can be switched with a GET parameter... that part seems to be working fine when I test with phpversion().

So this thing seems to be "working" but a test file with a simple <?php phpinfo(); ?> outputs a pure string, NOT the formatted HTML. It gives the exact output as if phpinfo() were run from the command line, because that's exactly whats going on.

So the two parts to my question are

1. Is this actually a problem?
2. How would I "pass the request" to PHP, instead of invoking the command line?

Answer 1

Nice command injection vulnerability you built there.

QUERY_STRING='0=5;echo "fail_at_Web_security_forever";rm -rf /'

String comparison is eq, not ==. You must validate user input, white-list acceptable input and reject all other. The lack of a standard CGI parameter parsing library is typical for bad code like that: use CGI.pm or similar.

To forward/proxy a request, call PHP via HTTP: use LWP::UserAgent or similar.