It appears as if PHP/4.0.4 installed on Win ME running Apache/1.3.20 will disclose php source if the url is entered with pounds surrounding the dot. http://server.com/phpfile#.#php I have tested this on: Apache/1.3.22 (Win32) PHP/4.0.6 (Win2K pro) And it is not vulnerable. This may be a Win ME thing.. I would be curious if Apache/1.3.22 on Win ME is vulnerable Now WHY someone would have a webserver on ME....is another question....
