[VIM] PHP File Upload Vulnerability with extra Extension

Matthew Murphy mmurphy_apple at mac.com
Mon May 12 21:50:21 UTC 2008

On May 12, 2008, at 2:28 PM, str0ke wrote:

> I have forgotten what caused the vulnerability where you upload a file
> such as somefile.php.jpg and it can be executed as a php script.  I  
> know
> this isn't a php vulnerability as much as an addon.  I think in the  
> past
> it was suexec that caused this but not sure.  Anyone have a clue?
> Regards,
> /str0ke

It's a design decision, according to ASF.  The idea is that you can  
have multiple extensions, e.g:


Both of which affect the content processing in some way.  The .html  
file tells the core that it is a static document, but the .en tells  
mod_negotiation that it is an English-language version of  
'index.html'.  The same processing is done for PHP content, e.g.:


Will be processed if I request 'index.php' with an Accept-Language  
header including 'fr' or a subcode of it.

- Matt

More information about the VIM mailing list