Bug #1778

Possible php security issue?

Added by Anonymous over 11 years ago. Updated over 11 years ago.

Missing Feedback
Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


I recently yum installed a fresh copy of lighttpd onto my server, i'm migrating from apache.

I have a very simple site and required the default installation except i enabled php, mod_rewrite and mod_fastcgi.

I also added a line to the conf:

url.rewrite = (
        "^/local/(.*)" => "/local.php/$1",
        "^/site/(.*)" => "/site.php/$1" 

My site has links like :

that are passed to a script called 'site.php'

Now here is where things get weird, this link below works fine and executes the script 'site.php' as intended:
/site/contact/200.html (works)

but this link below, lightppd will display the source of the site.php file:
/site/top_100/100.html (displays source of 'site.php')

however, this link below DOES work:

I've tested it with other links on the site, and it will for some odd reason execute some links, then dump the source of the 'site.php' script file on others that are almost the same. It also DOES work when the underscore is present in some links like :

/site/en_abcd_org/91924.html (works perfectly fine)
/site/buzz_100/600.html (displays the source of the script file.)

Is my rewrite syntax off, or is this a bug? This is on a fresh install of Fedora 9.

Mike Brown

-- lost_ark


Updated by stbuehler over 11 years ago

Test with curl (and clear your browser-cache); if it really doesn't work paste your lighty version and the complete config.


Updated by stbuehler over 11 years ago

  • Status changed from New to Fixed
  • Resolution set to worksforme

missing feedback.


Updated by stbuehler over 11 years ago

  • Status changed from Fixed to Missing Feedback

Also available in: Atom