Hi all,
I have discovered new and very odd requests made to my PHP website that looks like:
www.domain.com/index.php/login.php
The odd part in this request is that there are two files with php extension requested from the server and it seems that both files gets processed.
When such request is made, index.php is displayed first but there is no style applied to it and some additional informations from login.php are displayed below.
My question is, what is this, how you call it and where can I find more details on this? It is obvious it is some kind of security hole that people are exploiting and I wasn't aware of.
Thank you in advance!
The "domain.com/index.php/login.php" kind of requests in PHP
Moderator: General Moderators
- getmizanur
- Forum Commoner
- Posts: 71
- Joined: Sun Sep 06, 2009 12:28 pm
Re: The "domain.com/index.php/login.php" kind of requests in
not really sure however i'm guessing it may be you have mod rewrite rule set up in your .htaccess that is not working
Re: The "domain.com/index.php/login.php" kind of requests in
This is probably a bot trying to be sneaky. I have tons of entries like that for my website. Unless you have a login.php script somewhere I wouldn't worry about it. You may want to do something to reduce the server overhead for processing these results - like throwing a 404, or redirecting to the homepage, etc.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: The "domain.com/index.php/login.php" kind of requests in
This is a simple trick to route all traffic through your index.php.
The server stops looking at the request uri after it finds index.php, and the rest of the information is simply accessible through REQUEST_URI to determine which requests you are actually trying to fulfil. It's basically a poor man's mod rewrite implementation, and index.php is a front controller.
The server stops looking at the request uri after it finds index.php, and the rest of the information is simply accessible through REQUEST_URI to determine which requests you are actually trying to fulfil. It's basically a poor man's mod rewrite implementation, and index.php is a front controller.