Possible php security issue?
I recently yum installed a fresh copy of lighttpd onto my server, i'm migrating from apache.
I have a very simple site and required the default installation except i enabled php, mod_rewrite and mod_fastcgi.
I also added a line to the conf:
url.rewrite = ( "^/local/(.*)" => "/local.php/$1", "^/site/(.*)" => "/site.php/$1" )
My site has links like :
that are passed to a script called 'site.php'
Now here is where things get weird, this link below works fine and executes the script 'site.php' as intended:
but this link below, lightppd will display the source of the site.php file:
/site/top_100/100.html (displays source of 'site.php')
however, this link below DOES work:
I've tested it with other links on the site, and it will for some odd reason execute some links, then dump the source of the 'site.php' script file on others that are almost the same. It also DOES work when the underscore is present in some links like :
/site/en_abcd_org/91924.html (works perfectly fine)
/site/buzz_100/600.html (displays the source of the script file.)
Is my rewrite syntax off, or is this a bug? This is on a fresh install of Fedora 9.
Also available in: Atom