phpinfo() in PHP 4.2.3 uses a special query string to cause a script to
return the PHP logo.  phpinfo() fails to strip any query string off of
the URI before writing it to the browser.  This opens up two issues, one
a nuisance, and the other a more serious security issue:

--- INFO.PHP ---
<?php phpinfo(); ?>
--- INFO.PHP ---

Yes, I know that's a security risk to allow anonymous users access to
debug information, but this is actually an example of a default script
in many web applications/servers (BadBlue web server, for example).

http://localhost/info.php?"><SCRIPT>alert(document.URL)</SCRIPT>=x

Some browsers will not encode this, and this results in:

<img
src="/info.php?"><SCRIPT>alert(document.URL)</SCRIPT>?=PHPE9568F34-D428-
11d2-A769-00AA001ACF42" border=0 align="right" alt="PHP Logo">

The security issue here is a cross-site scripting exposure -- not only
does PHP fail to strip the query string, it also fails to filter any
HTML entities contained in it.

The nuisance problem is that the ALT tag is displayed, but the script
executes a regular phpinfo(), and returns a bogus image.

If I understood your concern correctly, only thing you
have to do is to set 'expose_php=off' in your php.ini file.

That setting does indeed eliminate the image tag bug.  It could be used
as a temporary workaround for this issue.  The correct behavior would be
for PHP to eradicate the query string before using it in a URL.

This is the solution, not workaround..