It turns out that the default settings of CentOS Apache actually allow this and it is a known vulnerability. In order to fix it, you will need to edit your Apache config settings. Your PHP settings are typically in /etc/httpd/conf.d/php.conf
. The default looks like this
AddHandler php5-script .php
AddType text/html .php
We need to change it to
#AddHandler php5-script .php
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
AddType text/html .php
Restart Apache and that should be the end of parsing any file with an extension after .php
Now, that $
is very important because this is using regex
and within regex
a $
means "end of string". So that means the file has to END with .php
(i.e. no .php.txt
) to be parsed by PHP.