All geek questions in one place

PHP source code protection on the server

I am new to PHP and have php security issue. Is it possible for someone to get the source code of the php script file running on the server with the default setting? If so, what is the best way to protect? I ask about this because I was able to download the php file when I asked for a page from the site and that caused my problems. I think that maybe the configuration of Apache was wrong and served me as a simple file for this file, but I'm not sure. Also the best place to store sensitive data such as database configuration or smtp?

Thanks Alex

+4
source share
8 answers

For the most sensitive information, I suggest placing it outside the root folder of your website and including it through "require" or "include". Thus, even some configuration becomes unsuccessful on the server, the visitor will receive only the line "include (" secret_stuff.php "); and not the actual script.

+5
source

If the server is not configured to process PHP files, it will treat them like any other unknown file (and serve them as text/plain or application/octet-stream .

PHP support, as far as I know, is always provided as an extension or an external program (for CGI, FastCGI, etc.) and is never built-in for an HTTP server.

+2
source

Exactly what David Dorward said, but I would advise you to take a look at the following fixes that will change apache so as not to send the source code if there is a wrong configuration.

http://mirror.facebook.net/facebook/patches/ap_source_defense.patch

A patch like:

  cd apache-1.3.x patch -p1 -i ap_source_defense.patch

More patches from Facebook. Development Team: http://mirror.facebook.net/facebook/patches/

The best way to protect your much-needed source is to place them outside the publicly accessible root directory, as if it were executing it, it would not be able to serve files directly from the public_html folder

eg:

 C:/server/apache/ C:/server/apache/htdocs/ C:/server/apache/htdocs/includes/

People can specifically view the files I'm going to

 http://hostname.tld/includes/

but having a directory structure:

 C:/server/apache/ C:/server/apache/includes/ C:/server/apache/htdocs/

and then inside

  C:/server/apache/htdocs/index.php

you have

 <?php require_once('../includes/config.php'); ?>

this should protect all the main files in the view file ( index.php )

+2
source

If the server is correctly configured to run PHP code, people without direct access to the server cannot view the PHP source code. You do not have to do anything.

Just because this server was not configured to run PHP and instead served it as text, could you see the source code.

0
source

If you have this line in apache.httpd.conf file,

 AddType application/x-httpd-php .php

Apache should process the data, not show it ...

Also you need to run php services.

0
source

What you call the "default setting" is a web server without php installed (or with php disabled). In these cases, of course, you can download the php script.

Make sure php is installed (as it will be on ~ 100% of production php servers) and / or block access to your configuration file using the .htaccess file, for example:

 <FilesMatch "^config.php$"> Order allow,deny Deny from all </Files>

If you want to be extra-complex (and work even on servers where .htaccess ignored), the .ht configuration file prefix, for example .ht.config.php . Most Apache (and some other web server) configurations will refuse to serve files starting with .ht . However, in general, the only way to make sure that the web server is not serving your file is to move it to a directory outside the directory of the server document. On most hosts, you or your PHP script will not be able to access them.

0
source

The second problem is the wrong configuration. Little can be done there, although there may be (?) Options for creating rewrites to prevent accessibility.

The best prevention is to save all scripts outside of DOCUMENT_ROOT . Just leave one index.php there and include all the dependencies in it. It is also the best strategy to prevent leakage of configuration data (also do not use ini files for sensitive data, but always .php scripts).

Another concern is shared hosting servers. All concurrent users on the server can read your scripts (if not through PHP, and then through Perl / bash CGI). You canโ€™t do anything about it if you donโ€™t go to a professional hoster that supports all the time through suexec and thereby allows individual permissions.

0
source

Well, "default setting" is an indefinite term, but as long as the web server is configured to parse .php files via PHP, you should be fine from that angle. If your scripts themselves deal with other PHP files (for example, a template system), you need to make sure that there are no loopholes, since PHP scripts have full access to your files on the server.

Assuming this is taken care of, you donโ€™t need to store sensitive data in any special place - just put it in your .php files, but make sure all your scripts end in .php (for example, config.inc.php ), so that they are always parsed through PHP and not sent as plain text.

0
source

Source: https://habr.com/ru/post/1338558/

More articles:


All Articles