HI, I know this is OT and I apologize in advance, but with the wealth of knowledge on this list I hope that some kind soul will help (off list is fine). I run CentOS 5.6 with the usual LAMP stack. One of the virtual sites on this server failed a PCI Compliance (credit card security stuff) because, of all things, a URL with a non-existent request after the .php doesn't return a 404 and I can't figure out why. Example: http://www.domain.com/pagedoesnotexist returns the expected 404 But browse to a page that does exist, like goodpage.php, then append either a slash and some random string, or a ?=somerandomstring and the goodpage.php is still displayed. I'll gladly provide more info, if needed. Any pointers on where to look would be truly appreciated. Thanks in advance, and my apologies for the noise. -Ray