PHP security : retrieving PHP file from server, un

2020-02-26 07:30发布

问题:

Is there really a way to do this ? Retrieving raw .php file from the server (other than getting into server's FTP account) ? Is this the reason why there are tools/script to encrypt php source code ?

If it's true, then how to protect against it ? (without using php source code encryption)

edit: the server mentioned has php running, eg. apache-php-mysql, your standard hosting server configuration.

回答1:

If you are talking about someone else's server, then the short answer is no. If third parties could read your PHP source code, that would be quite a security hole, since PHP files tend to contain database passwords, hash keys, proprietary algorithms and other goodies that you don't want falling in the wrong hands.

If you are talking about your own server (ie. that you yourself have access to), then there are simple scripts that you can put on the server, that allow you to specify a path to any file on the server and have it returned as plaintext. However, you NEVER EVER want to place such a script on a production server, for the reasons mentioned above.



回答2:

Generally speaking, you can't access remote source code. The PHP module would have to be disabled for this to occur.

But as a thought experiment, how might this happen?

Leaving aside wholesale exploits which get access to the entire filesystem, imagine if there were a security hole in an application which allowed you to insert an line into an .htaccess file. Given that an .htaccess writable by the httpd process is useful for apps like Wordpress, it's not too outlandish a possibility.

If you added this:

php_value engine off

The source files now become downloadable!



回答3:

It is possible if the server is not well configured that PHP files are not handles as such.

Some examples:

  • Some servers are configured to show the highlighted source code of a PHP file when requested as .phps instead.
  • Some developers use .inc for files that are intended to be included using include or require. If the server is not configured to handle these as PHP as well, they will be delivered as plain text when they are requested directly.

But the developer can also be the source of vulnerability. For example when he uses a script for downloading files from the server and this script accepts nearly every input without validation.



回答4:

If the file is served from a web server that has php interpretation enabled (via HTTP) then it will be processed. The only way you'd receive the code unprocessed is if PHP was disabled somehow.



回答5:

I have encountered a mis-configured web server in the past that had one virtual host properly setup to server PHP files via the PHP interpreter. There was a second virtual host pointing at the same directory, but didn't have php enabled. This meant things like the 'config.php' for several apps where visible as plain text. As everyone knows a typical config.php has database auth credentials and other things that shouldn't be known.

So, it is very important to understand your web server setup, and make sure you aren't doing something silly.



标签: php security