Environment: WinXP Pro Apache 2.0.49 PHP 4.3.5 (Module)
There will be no extension PHP code, which is interpreted to the PHP interpreter, which is great to increase security, giving invasive people, stealing people, increasing confusing. E.g:
Http://www.msger.net/chat?username=hackfanhttp://www.msger.net/images/test.gif
From a general understanding, the two URLs above are likely to be like this:
/ | -Chat / | -index.php | -Images / | -Test.gif
However, Apache PHP allows Chat, images into a PHP program, and the back part as a parameter. In fact, these 2 URLs are very likely:
/ | -chat. (PHP file) | -Images (PHP file) | -Imagessecret / (Directory)
Http://www.msger.net/images/test.gif will hand over this PHP program. The part of this program is given below:
_Server ["Request_uri"] = / / images/test.gif_server["script_name "] = / images _server [" path_info "] = /TEST.GIF _SERVER [" php_self "] = /IMAGES/TEST.GIF
Everyone noticed that Apache has the correct judgment of _Server ["script_name"], other information is almost all of them being deceived. I don't know what everyone thinks with this nature, anyway, anyway, I think it can prevent pictures from stealing the chain.
Also, I have to find a lot of information, and finally, I will make Apache to correctly explain the PHP file without the extension:
Modify httpd.conf, find
The last legacy problem:
How do you handle this kind of request for http://www.msger.net/images/..Test.gif? Do not send such requests with IE because IE automatically handles.
