I don't think this has anything to do with the .php extension.
If you image-link to an image (or any file) that is behind an .htaccess password protected directory the web browser automatically pops up the log-in box asking for credentials before it can download the image.
There is no php code executed.
It's not an exploit of any type, it is simply how all web browsers behave when faced with accessing a password protected directory.
Which by the way, you should never put your username/password into such a box unless you know what site has created said box and are legitimately trying to log in- the admin of the remote site can be recording the usernames/passwords being tried in the form.
This would happen on all versions of vBulletin, and indeed *any* forum software that allows [IMG] bbcode.
|