#33801 [NEW]: Apache executing PHP with non .php extension

Thu, 21 Jul 2005 03:11:42 -0700 

From:             stephen dot ball at gmail dot com
Operating system: Windows/Linux
PHP version:      4.4.0
PHP Bug Type:     Apache2 related
Bug description:  Apache executing PHP with non .php extension

Description:
------------
On Apache you can upload a PHP file with random characters at the end of
the file name and provided it has .php in there it runs as PHP.

I have tested this on several different servers, including IIS in which it
doesn't occur and also with different files on Apache such as .cgi.123 but
it only appears to be PHP which runs. Likely an Apache bug but thought I'd
better report it here also just to be on the safe side

Reproduce code:
---------------
<?php

phpinfo();

?>

Filename: info.php.123/info.php.abc/info.php.ccc etc

Expected result:
----------------
<?php

phpinfo();

?>

sent to browser or browser attempts to save the file

Actual result:
--------------
PHPs information page is output.

-- 
Edit bug report at http://bugs.php.net/?id=33801&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=33801&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=33801&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=33801&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=33801&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=33801&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=33801&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=33801&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=33801&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=33801&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=33801&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=33801&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=33801&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=33801&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=33801&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=33801&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=33801&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=33801&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=33801&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=33801&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=33801&r=mysqlcfg

Reply via email to