4

Today I found a strange thing on my server. I created a php file (test.php) and wrote some php codes inside it. then I call it using 

http://127.0.0.1/test

and the "test.php" executed ! How does it understand to run test.php when there is no .php ? there is no htaccess file on my root directory to tell the apache do that. I guess it may causes security problem. How can I prevent it ?

My OS is ubuntu and the web server is Apache2.

Improve this question
1
  • How does that cause a security problem? If someone can access example.com/test they can just as well access example.com/test.php. Commented Apr 8, 2012 at 9:07

2 Answers 2

Reset to default
7

This happens because of MultiViews (it's enabled somewhere in the "Options" for that directory).

Have a look here: http://httpd.apache.org/docs/current/content-negotiation.html#negotiation for details on how it works.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is indeed the reason.
3

Check your apache config (/etc/apache2/sites-available/[site_name or default]), it probably contains mod_rewrite instructions, for example:

RewriteEngine on
RewriteBase /
RewriteCond %{DOCUMENT_ROOT}/$1.php -f
RewriteRule ^(([^/]+/)*[^.]+)$ /$1.php [L]

If you comment them out with # and restart apache, accessing /test without specifying extension should no longer work.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.