Is there a way to view the PHP code (the actual code is not a compiled result) from the client machine?

Question

Is there a way to view the PHP code (the actual code is not a compiled result) from the client machine?

This can be a really stupid question ... Yesterday, I started to worry that it might be possible to somehow view the PHP files on the server through a browser or other means on the client machine. I'm worried, I have an include file that contains username and password. If there was a way to place the address of this file in a browser or some other system and see the code itself, this would be a problem for obvious reasons.

Is this a legit issue? If so, how do people interfere with this?

+4

security php

Columbo May 17, '10 at 9:45

source share

6 answers

Andrew McGregor · Answer 1 · 2010-05-17T09:47:10+0000

Not if your server is configured correctly. I think the discussion of how this is done belongs to the server file.

Evert · Answer 2 · 2010-05-17T09:59:54+0000

To add to other answers:

If you use a file extension such as .inc, then there is a higher risk. Can you open the file directly in your browser?

The most important tip is missing:

Only the files that the browser should access should be in a public place. All other code (and configuration) must be in a completely separate directory.

for instance

root - webroot - includes - config

The web server (apache) is only available "webroot". Webroot can contain, for example, one index.php along with all your assets (javascript, css, images).

Any index.php code that needs to be downloaded comes from 'includes' and the entire configuration from 'config'. There is no way that a user can ever directly access any of these 2 directories, if done correctly.

Guffa · Answer 3 · 2010-05-17T09:53:30+0000

It depends on the file extension that you provided to the included file.

If the extension is one that is known and executed by the web server, it will be protected. If you go to the file, the server will try to execute the code, and not just return it in plain text.

If the extension is not known to the web server, it will serve it as simple data, so anyone (who can guess the file name) can go to the file and see the source code.

rook · Answer 4 · 2010-05-17T15:53:44+0000

A directory access vulnerability could be exploited to retrieve files from a remote engine. Alternatively, you can use SQL SQL injection to read files with load_file () . You can also test your system with w3af urlfuzzer , which will search for "backup files" such as index.php.zip. Also make sure that all files have the extension .php, .inc can be viewed with the public. I would also disable the Apache directory listing.

L̲̳o̲̳̳n̲̳̳g̲̳̳p̲̳o̲̳̳k̲̳̳e̲̳̳ · Answer 5 · 2010-05-17T15:57:05+0000

Normally there should be no way to view PHP files remotely ... that would be completely pointless. It completely depends on which web server you are using and how it is configured.

Columbo · Answer 6 · 2010-05-18T08:13:48+0000

Looking around, I see that you can protect the directory through .htaccess by adding the following lines:

 Order allow,deny Deny from all

This seems to protect the directory, so only local non-web access is possible. This allows me to include my subdirectories in the directory of the main site, which is good for the organization, and it can be used in projects where I do not have access to folders outside the web root.

Does anyone else use this method?

Just for a good measure, I put the permissions of the directory only for execution. And the include extension is PHP, as others have suggested.

Is there a way to view the PHP code (the actual code is not a compiled result) from the client machine?

More articles: