If Apache is configured to parse PHP and not allow to index files, are there other ways users can see PHP source code, either with or without intention?
Take the 2-minute tour
×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
|
|
If Apache is properly configured with the php module loaded and correct mime types, you should expect to not have any code disclosed to the client. Example: There don't seem to be any attacks against mime types in apache that would break this behavior that I know of. You should be more worried about poor coding practices, and disclosing the source code through other means such as file inclusion attack. PHP does have a .phps extension that beautifies source code for sharing. If you use these files, make sure you strip them of any usernames and passwords before sharing them. It might be possible for a file to be incorrectly named .phps insteaf of .php -- unlikely, but possible. |
|||||
|
|
Here's an example of case that how hackers use file inclusion vulnerability to disclosure PHP source code. If not not properly configured, it can even lead to remote code execution vulnerability. |
|||
|
|
