[CentOS] [OT] Apache oddity - appending garbage request does not result in a 404

Tue Jul 19 20:28:50 UTC 2011
Ray Leventhal <centos at swhi.net>

HI,

I know this is OT and I apologize in advance, but with the wealth of 
knowledge on this list I hope that some kind soul will help (off list is 
fine).

I run CentOS 5.6 with the usual LAMP stack.  One of the virtual sites on 
this server failed a PCI Compliance (credit card security stuff) 
because, of all things, a URL with a non-existent request after the .php 
doesn't return a 404 and I can't figure out why.

Example: http://www.domain.com/pagedoesnotexist returns the expected 404

But browse to a page that does exist, like goodpage.php, then append 
either a slash and some random string, or a ?=somerandomstring and the 
goodpage.php is still displayed.

I'll gladly provide more info, if needed.  Any pointers on where to look 
would be truly appreciated.

Thanks in advance, and my apologies for the noise.

-Ray