pwneglyph logo

Note

web php apache ssi cgi log-poisoning checklist

A short checklist of classic Apache/PHP misconfig wins — re-enabling PHP/SSI, readable logs, and fd-backed log targets.

Apache / SSI / CGI / Log Poisoning Checks to Keep in Reserve

On homemade PHP/Apache stacks, misconfigured .htaccess, logging, or old handler features still produce fast wins often enough to justify a short checklist pass.

Why It Matters

  • Legacy handler features and readable/poisonable logs are cheap to test and occasionally the whole exploit.

Vulnerable Pattern

  • Writable directories under document root, shared-hosting style configs, default-enabled handler modules, or file-read surfaces exposing logs.

Exploit Flow

  1. Test whether .htaccess can re-enable PHP or SSI.
  2. Check whether logs are readable.
  3. Check whether stdout or fd-backed log targets leak request-controlled content.

Variations

  • Options +Includes, AddType application/x-httpd-php .txt, CGI includes, access-log poisoning, php_value auto_prepend_file, or handler remapping.

Common Blockers

  • AllowOverride None, logs not readable from the app container, or modern Apache hardening removing the old primitive.

PoC Sketch

Options +Includes
AddType application/x-httpd-php .txt
# read candidates: /var/log/apache2/access.log, /proc/self/fd/1

Good Situations To Use It

  • A homemade Apache/PHP stack with writable docroot dirs.
  • You already have .htaccess or file-read leverage.
  • You need a quick low-effort win before deeper work.

Sources

  • fcsc2026/web/secure_mood_notes_1
  • fcsc2026/web/shellfish_say