Insecure $ENV{PATH} while running with -T switch at /var/www/html/cgi-bin/check.cgi

Question

I have a little cgi script running on a Apache 2.4.57

I am trying to exec a php file in the script like this

exec ('php /var/www/html/footer.php') or print STDERR "couldn't exec $command: $!";

But it didn't work out. The apache log throws the error

Insecure $ENV{PATH} while running with -T switch at /var/www/html/cgi-bin/check.cgi"

How can add $ENV{'PATH'} to make it secured?

Answer 1

How can add $ENV{'PATH'} to make it secured?

Set it to a defined value, i.e.

$ENV{PATH}="/bin:/usr/bin";

And better call your script with full path so that it does not need to rely on PATH. Also don't use the shell to interpret the command line but use the multi-argument form to directly invoke the program:

exec ('/usr/bin/php', '/var/www/html/footer.php') or ...

Answer 2

$ENV{PATH} = '/bin:/usr/bin'; before the exec like this and it is no longer complaining. $ENV{PATH} = '/bin:/usr/bin'; exec ('php /var/www/html/footer.php') or print STDERR "couldn't exec $command: $!";

"But the CSS, bootstrap in the php file couldn't load up. Any idea please."

As for the CSS, JS, bootstrap, i just use direct paths instead of https:// and all working now. Thank you