However, if you ask the server to give example.com/1px.gif/test.php , the URI will look like 1px.gif/test.php , which 1px.gif/test.phplocation \.php$ , and SCRIPT_FILENAME will become /scripts/1px.gif/test.php .
Further, if cgi.fix_pathinfo == 1 (by default), then SCRIPT_FILENAME will be equal to /scripts/1px.gif , and PATH_INFO will be equal to test.php
NB! In some configurations, the vulnerability triggers a URL like 1px.gif%00test.php
As a result, the php interpreter will process /scripts/1px.gif . I.e,
Any user will be able to upload files to the server (for example, avatars), then creating a special image that will simultaneously undergo GD size validation and executed by the php interpreter will have the right to execute arbitrary code on the server with the php rights of the process.