PRB: IIS 6.0: CGI Code That Calls External Applications May Fail


When you use anonymous authentication and you call external programs (including PHP programs) from Common Gateway Interface (CGI) code, the operation may fail.


In Internet Information Services (IIS) 6.0, the IUSR_<computer_name> (anonymous) account does not have the necessary file system permissions to run executable programs in the %windir%\System32 folder by default. This denial can cause CGI code that attempts to run these external programs in the anonymous security context to fail.


To resolve this problem, grant the IUSR_<computer_name> account (or the specific account that is being used as the anonymous identity) Read and Execute access to any program or command-line tool (such as Cmd.exe) that is necessary for the application to function correctly.


This behavior is by design.

More Information

Steps to Reproduce Behavior

  1. Install PHP 4.0 on IIS 6.0.
  2. Associate the .php extension in IIS 6.0 with the Php.exe CGI application. To do this, follow these steps:
    1. Open the IIS Manager.
    2. Open the property sheet for the Web site to which you want to add the PHP extension.
    3. On the Home Directory tab, click Configuration.
    4. Under Application Mappings, click Add.
    5. For Executable, type the path to Php.exe (for example, C:\Php\Php.exe).
    6. For Extension box, type .php and click OK.
    7. Save your changes, and then close the IIS Manager.
  3. In Notepad, save the following code as Test.php:
    $output = `ping localhost`;
    echo $output;
  4. Save the file in the Web site publishing point.
  5. Call the file from a Web browser (for example, http://<localhost>/test.php).
You should see the problem that is described earlier if the IUSR account is not granted file system access to Ping.exe (located in %windir%\System32).

Note For this code to work, IUSR must have Read and Execute access to Ping.exe.

ID do Artigo: 311481 - Última Revisão: 30 de jul de 2008 - Revisão: 1