PHP source code security on server

Question

I am a PHP newbie and a have a php security question. Is it possible for somebody to get the source code of a php script file running on a server with default configuration? If so, what is the best way to be protected? I am asking this because I happened to download a php file when I requested a page from a site and what triggered my concerns. I think that maybe apache configuration was wrong and served that file to me like a simple file but I am not sure. Also what is the best place to keep "sensitive" data such as database or smtp configuration?

Thank you, Alex

Answer 1

For the most sensitive information, I'd suggest putting it outside of your web root folder, and including it through "require" or "include". This way, even is some configuration gets botched on the server, the visitor will only get served the line "include('secret_stuff.php');" and not the actual script.

Answer 2

Exactly what David Dorward said but i would advise you take a look at the following patch(s) that would modify apache to not send source code's regards if there is a misconfiguration.

http://mirror.facebook.net/facebook/patches/ap_source_defense.patch

Patch like so:

   cd apache-1.3.x
   patch -p1 -i ap_source_defense.patch

More Patches from Facebook Development Team: http://mirror.facebook.net/facebook/patches/

---

The best way to protect your much needed source is to place them outside the public root directory, as if apache is running it will not be able to serve files directly from the folder up public_html

for example:

C:/server/apache/
C:/server/apache/htdocs/
C:/server/apache/htdocs/includes/

People can specifically view the files my going to

http://hostname.tld/includes/

but having the directory structure of:

C:/server/apache/
C:/server/apache/includes/
C:/server/apache/htdocs/

and then within

    C:/server/apache/htdocs/index.php

you have

<?php
    require_once('../includes/config.php');
?>

this should protect all major files bar the view file (index.php)

Answer 3

If the server is not configured to handle PHP files, then it will treat them like any other unknown file (and serve them as either text/plain or application/octet-stream.

PHP support is, as far as I know, always provided as an extension or external program (for CGI, FastCGI, etc) and never as a built in for an HTTP server.

Answer 4

If the server is properly configured to run PHP code, then people without direct access to the server cannot view the PHP source code. You don't have to do anything else.

It is only because that server was not configured to run PHP, and instead served it as text, that you could see the source.

Answer 5

If you have this line in your apache.httpd.conf file,

AddType application/x-httpd-php .php

Apache should deal with data, rather than showing them...

Also you need to start php services.

Answer 6

What you describe as "default configuration" is a webserver without php installed (or with php disabled). In these cases, it is certainly possible to download the php script.

Make sure php is installed (as it will be on ~100% of production php servers) and/or block access to your configuration file with an .htaccess file like this:

<FilesMatch "^config.php$">
    Order allow,deny
    Deny from all
</Files>

If you want to be extra-tricky (and work even on servers where .htaccess files are ignored), prefix the configuration file with .ht, like .ht.config.php. Most Apache(and some other webserver) configurations will refuse serving files beginning with .ht. However, in general, the only way you could be sure no webserver serves your file is to move it to a directory outside of the server's document directory. On most hosts you or your php script won't be able to access those though.

Answer 7

Your second problem are misconfigurations. There's not much you can do, albeit there might(?) be options to construct a rewriterule to prevent accidential accessibility.

The best prevention however is to keep all scripts outside of the DOCUMENT_ROOT. Just leave a single index.php there, and include all dependencies from there. This is also the best strategy to avoid leaking of configuration data (also don't use ini files for sensitive data, but always .php scripts).

Another worry are shared hosting servers however. All concurrent users on a server can read out your scripts (if not through PHP then via Perl/bash CGIs). Nothing you can do about that, unless you change to a professional hoster which supports running everthing through suexec and thus allowing individual permissions.

Answer 8

Well, "default configuration" is a vague term, but as long as the web server is configured to parse .php files through PHP, you should be fine from that angle. If your scripts themselves happen to parse other PHP files (for eg. a template system) then you need to make sure there aren't any loopholes in that too, since the PHP scripts have full access to your files on the server.

Assuming these are taken care of, you don't need to keep the "sensitive" data in any special place -- just put them in your .php files, but make sure all your scripts end in .php (for eg. config.inc.php) so that they are always parsed via PHP and not sent as plain text.