Menu
Today I found a strange thing on my server. I created a php file (test.php) and wrote some php codes inside it. then I call it using
http://127.0.0.1/test
and the "test.php" executed ! How does it understand to run test.php when there is no .php ? there is no htaccess file on my root directory to tell the apache do that. I guess it may causes security problem. How can I prevent it ?
My OS is ubuntu and the web server is Apache2.
671
This happens because of MultiViews (it's enabled somewhere in the "Options" for that directory).
Have a look here: http://httpd.apache.org/docs/current/content-negotiation.html#negotiation for details on how it works.
54
Check your apache config (/etc/apache2/sites-available/[site_name or default]), it probably contains mod_rewrite instructions, for example:
RewriteEngine on
RewriteBase /
RewriteCond %{DOCUMENT_ROOT}/$1.php -f
RewriteRule ^(([^/]+/)*[^.]+)$ /$1.php [L]
If you comment them out with # and restart apache, accessing /test without specifying extension should no longer work.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
