php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33801 Apache executing PHP with non .php extension
Submitted: 2005-07-21 12:11 UTC Modified: 2005-07-21 12:27 UTC
From: stephen dot ball at gmail dot com Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 4.4.0 OS: Windows/Linux
Private report: No CVE-ID: None
 [2005-07-21 12:11 UTC] stephen dot ball at gmail dot com
Description:
------------
On Apache you can upload a PHP file with random characters at the end of the file name and provided it has .php in there it runs as PHP.

I have tested this on several different servers, including IIS in which it doesn't occur and also with different files on Apache such as .cgi.123 but it only appears to be PHP which runs. Likely an Apache bug but thought I'd better report it here also just to be on the safe side

Reproduce code:
---------------
<?php

phpinfo();

?>

Filename: info.php.123/info.php.abc/info.php.ccc etc

Expected result:
----------------
<?php

phpinfo();

?>

sent to browser or browser attempts to save the file

Actual result:
--------------
PHPs information page is output.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-21 12:16 UTC] tony2001@php.net
Turn Off option MultiViews in your httpd.conf.
Your problem has nothing to do with PHP.
 [2005-07-21 12:27 UTC] stephen dot ball at gmail dot com
Makes sense, however

#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#

and on both servers Options MultiViews is *not* set
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 05:01:28 2024 UTC