In Tangled Web Michal Zalewski says:
If you are not using path-based parameter passing (such as PATH_INFO), consider disabling this feature.
He gave only one example of this vulnerability. There HTTP response of downloaded file contained Content-Type: image/jpeg and Content-Disposition: attachment. Url to file (supplied by an attacker) contained hello.exe. As the result IE saved file to disk as hello.exe.
What are other attacks that use turned on PATH_INFO exist?
PATH_INFO is an attacker controlled variable and there for can be the source of tainted data. This variable should never be trusted and a web application must be vary careful not to use this when manipulating files (directory traversal) or printed to the browser (XSS).
An example of an attacker controlling this variable can be seen with this url:
https://cgi.ccs.neu.edu/home/cgiadmin/examples/phpinfo.php/ATTACK
In terms of non-injection attacks, I used this property of PATH_INFO to bypass Wordpress's Access Control System. They where foolish enough to look for the word "admin" in the PATH_INFO variable to check if you where an administrator.
