The problem is that the php-cgi script/binary accepts the same command line parameters as the regular php interpreter. This is clearly the wrong behavior and it's even documented as not doing that:
"Accessing system files: http://my.host/cgi-bin/php?/etc/passwd The query information in a URL after the question mark (?) is passed as command line arguments to the interpreter by the CGI interface. Usually interpreters open and execute the file specified as the first argument on the command line. When invoked as a CGI binary, PHP refuses to interpret the command line arguments."
Although this was actually in the documentation, Rasmus forgot why it was in there in the first place:
Here is a legacy feature of CGI that hardly anybody knows about, using a setup of PHP that is already rare, targeting an issue already claimed to be solved! The perfect storm.
http://www.php.net/manual/en/security.cgi-bin.attacks.php
"Accessing system files: http://my.host/cgi-bin/php?/etc/passwd The query information in a URL after the question mark (?) is passed as command line arguments to the interpreter by the CGI interface. Usually interpreters open and execute the file specified as the first argument on the command line. When invoked as a CGI binary, PHP refuses to interpret the command line arguments."
Although this was actually in the documentation, Rasmus forgot why it was in there in the first place:
http://thread.gmane.org/gmane.comp.php.devel/20745
Here is a legacy feature of CGI that hardly anybody knows about, using a setup of PHP that is already rare, targeting an issue already claimed to be solved! The perfect storm.