our website’s team just discovered that any user can add a slash ‘/’ then any string after a URL that ends with a .php extension and still access the same original page.
For example:
I can access http://www.mydomain.com/index.php with:
- http://www.mydomain.com/index.php/test
- http://www.mydomain.com/index.php/test/123
- http://www.mydomain.com/index.php/wqeqwew/2234dwd
(Note: Additional strings after index.php/ are non-existent in the server, they’re just some garbage)
Another problem is that with my dynamic URLs, I can always add a nonexistent php file in between my domain name and the first parameter.
For example:
I can access http://www.mydomain.com/product/one with:
How can I prevent this from happening and how do I deal with it? Is this a serious problem in terms of SEO or security? I want the website to return 404 error whenever these kinds of URL are entered or clicked in the browser.
Any help is greatly appreciated. Thanks!
EDIT:
I think I already fixed it. For the first problem, I added AcceptPathInfo Off in my .htaccess. And for the second problem, I just added ^ before my RewriteRule for my dynamic URL, e.g. RewriteRule ^product/(.*)$ so that nobody can add anymore extra string in between the domain name and the first parameter. Thanks for all the help!
This is due to Apache’s
AcceptPathInfodirective. You can turn it off – if the server is configured accordingly, you’ll just need a .htaccess file for it.I can’t think of a way in which it could be a serious problem. It’s generally enabled by default in most handlers, and is being routinely used as a “poor man’s
mod_rewrite” (A way to provide fancy-looking URLs).