Hi Arno! Seems to be the standard behaviour of Apache servers all over the world!
I was testing this way: First I renamed a real, proper GIF-file to "this.php.nice.gif", put it in the root of my websites and called it with the browser. Result: "Error 500 Internal Server Error". The logfile tells: "Premature end of script headers: this.php.nice.gif". Then I did infect the same GIF-file with some PHP-Code (<?php echo "Hello, I'm evel"; ?>), renamed it to "this.php.evel.gif", put it in the root, called it with the browser. The result was exactly the same: Error 500, Premature end of script headers. That means, wether the file is infected or not, it IS passed to the PHP interpreter only because it contains somewehere ".php" in his name! Then I renamed a real PHP script to "test.php.gif". This finaly produced the following response from my web hoster: _QUOTE_ Files with Extra ".php." Extension If you were directed to this page, you probably tried viewing a file that contains .php. in its name, such as image.php.jpeg or image.php. (note the extra dot at the end). The site you were visiting uses the Apache Web server, which will usually attempt to run such files as PHP scripts (instead of allowing your browser to display them as images, or completely failing to run them, as you'd probably expect). Allowing those files to run as a PHP script is a security vulnerability, as seen in exploits for WordPress and Joomla. Because of that, we block requests to these files. If youre the owner of this site and you want to use a real image that includes .php. as part of the name, please rename the file. _END QUOTE_ Sounds reasonable. And means, you really must protect your uploadings. A simple way: $filename = str_replace('.php', '', $_FILES['userfile']['name']); move_uploaded_file($_FILES['userfile']['tmp_name'], 'yourdirectory/'.$filename); Hope, this helps, Niklaus Arno Kuhl am Donnerstag, 19. September 2013 - 16:14: > Arno: If you can request that file using a web browser, and it gets executed > as PHP on your server then there is an error in the Apache configuration. > > Easy test: create a file in a text editor containing some PHP (<?php > phpinfo(); ?> would be enough) and upload it to the www root of your site > and name it test.pgif. Then hit http://www.yourdomain.com/test.pgif in your > browser. If you see the PHP code or an error then you're fine. If you see > PHP's info page then you need to change web host as quickly as possible. I > don't care if they fix it - the fact their server was configured to do this > by default is enough for me to never trust them again. > > -Stuart > -- > > Thanks Stuart. I just tried it now, test.php.pgif displayed the info while > test.xyz.pgif returned the content, confirming the problem. My service > provider finally conceded the problem is on their side and are looking for > an urgent fix, much too complicated to consider moving service providers in > the short term. > > As a side note, the sp said the issue is new and coincided with an upgrade > to fastcgi recently, I wonder if the hacker was exploiting a known issue > with that scenario? > > Cheers > Arno > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php