our website’s team just discovered that any user can add a slash ‘/’ then any string after a URL that ends with a .php extension and still access the same original page.
For example:
I can access www.mydomain.com/index.php with:
- www.mydomain.com/index.php/test
- www.mydomain.com/index.php/test/123
- www.mydomain.com/index.php/wqeqwew/2234dwd
(Note: Additional strings after index.php/ are non-existent in the server, they’re just some garbage)
Another problem is that with my dynamic URLs, I can always add a nonexistent php file in between my domain name and the first parameter.
For example:
I can access www.mydomain.com/product/one with:
- www.mydomain.com/test.php/product/one
- www.mydomain.com/imnothere.php/product/one
How can I prevent this from happening and how do I deal with it? Is this a serious problem in terms of SEO or security? I want the website to return 404 error whenever these kinds of URL are entered or clicked in the browser.
Any help is greatly appreciated. Thanks!
EDIT:
I think I already fixed it. For the first problem, I added AcceptPathInfo Off
in my .htaccess. And for the second problem, I just added ^
before my RewriteRule for my dynamic URL, e.g. RewriteRule ^product/(.*)$
so that nobody can add anymore extra string in between the domain name and the first parameter. Thanks for all the help!
Advertisement
Answer
How can I prevent this from happening and how do I deal with it?
This is due to Apache’s AcceptPathInfo
directive. You can turn it off – if the server is configured accordingly, you’ll just need a .htaccess file for it.
Is this a serious problem in terms of SEO or security?
I can’t think of a way in which it could be a serious problem. It’s generally enabled by default in most handlers, and is being routinely used as a “poor man’s mod_rewrite
” (A way to provide fancy-looking URLs).