An interesting little tip i read lately and thought its worth sharing. Apparently setting Apache to serve PHP files using AddHandler makes Apache to parse all files with ".php" substring in the file name (not only ending with php). The consequences can be very dangerous if you allow to upload files to the server and don't validate file names properly.

You should not let people upload PHP files especially into the webroot folder as they would be able to execute any PHP code with Apache's permissions. Most upload scripts would check if you are not uploading any of PHP associated formats (php, phtml etc depending on application settings). But people would not expect that file named like below would be executed:

test.php.txt

Problem occurs if Apache is set to serve PHP source files with following directive

<IfModule mod_mime.c>
AddHandler application/x-httpd-php .php
</IfModule>

In such case all scripts containing .php substring in the file name will be processed as php scripts, not only these ending with .php.

So if you support upload, it is worth validating it properly as well as double checking if your apache setup is using AddType or AddHandler directive. The former one does not cause test.php.txt to be executed.

PS. what is funny that this works exactly the same way on windows apache (like wamp)