We encoutered an apparently 6-year-old bug in Apache, which might as well be a security feature: it treats escaped (URL-encoded) slashes (which become %2F) as normal slashes / in a URL and returns 404 Not Found if such a URL is requested. It does not even come to PHP. UPDATE: Fortunately, it seems that it actually is a security feature and there is Apache's AllowEncodedSlashes directive to turn it off. There is also a hack by Frédérick Giasson.