{"version":"1.0","provider_name":"Rainbow Dash Network","provider_url":"http:\/\/rainbowdash.net\/","type":"link","title":"RedEnchilada (notice the lack of a space) (redenchilada)'s status on Sunday, 28-Jul-13 01:53:40 UTC","author_name":"RedEnchilada (notice the lack of a space) (redenchilada)","author_url":"http:\/\/rainbowdash.net\/redenchilada","url":"http:\/\/rainbowdash.net\/notice\/2858286","html":"@<span class=\"vcard\"><a href=\"http:\/\/rainbowdash.net\/user\/30473\" class=\"url\" title=\"Dale Cooper\"><span class=\"fn nickname\">dalecooper<\/span><\/a><\/span> The method I used was editing php.ini and setting cgi.fix_pathinfo=0; it means it'll error out if the exact requested file isn't found. Otherwise they could do \/uploaded_file.txt\/blah.php and execute PHP code included in the text file. Just check <a href=\"http:\/\/wiki.nginx.org\/Pitfalls#Passing_Uncontrolled_Requests_to_PHP\" title=\"http:\/\/wiki.nginx.org\/Pitfalls#Passing_Uncontrolled_Requests_to_PHP\" rel=\"nofollow external\">http:\/\/wiki.nginx.org\/Pitfalls#Passing_Uncontrolled_Requests_to_PHP<\/a> real quick."}