6

How do i prevent php files from being downloaded "illegally" like through the browser. And what are some ways someone can use to download the php files?

Lekensteyn
  • 64,486
  • 22
  • 159
  • 192
AAA
  • 3,120
  • 11
  • 53
  • 71
  • What exactly do you mean? Do you mean the PHP source code of the requested files? On a properly configured browser, that will not happen. – Pekka Sep 13 '10 at 18:57
  • 3
    @Pekka: it's certainly not the browser that needs to be configured properly to prevent that... – Michael Borgwardt Sep 13 '10 at 19:01
  • Someone told me files can be downloaded via the browser... – AAA Sep 13 '10 at 19:02
  • If you use a secure server it could be impossible, right? – AAA Sep 13 '10 at 19:02
  • @Michael I meant of course server. It's late, time to call it a day soon :) – Pekka Sep 13 '10 at 19:02
  • @AAA: Yes, it is impossible if the webserver is properly configured. Lekensteyn pointed out a very nice solution to close the last security hole. – jwueller Sep 13 '10 at 19:06
  • 1
    @AAA, in most cases, PHP won't be downloadable. You'd better to worry about services like FTP or file upload features in your scripts. The human is the most dangerous in ICT security, passwords should be random, and not something like 'apple'. To finish the story, [xkcd about Security](http://xkcd.com/538/). – Lekensteyn Sep 14 '10 at 15:04
  • I just install a new LAMP on debian 8. By default directory listing is enabled i.e. you can see all files incl. php files and right-click it and download! I now disabled default directory listings but I'm still afraid it's possible to download a php file directly doing the browser-download command manually somehow ? – MrCalvin Feb 13 '16 at 12:21
  • The only way that can happen is if the web server is not running php, so it will show php as plain text the typical "if you seeing this your web server...." – lisandro Feb 03 '22 at 16:11

5 Answers5

15

You can't really avoid files from being downloaded if your application is not secure. The following example allows a malicious user to view any file on your server:

<?php
readfile($_GET['file']);
?>

If you want to prevent Apache from exposing the source code if something is wrong with PHP, add this in your httpd.conf / .htaccess:

# In case there is no PHP, deny access to php files (for safety)
<IfModule !php5_module>
    <FilesMatch "\.(php|phtml)$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</IfModule>
# the following should be added if you want to parse .php and .phtml file as PHP
# .phps will add syntax highlighting to the file when requesting it with a browser
<IfModule php5_module>
    AddType text/html .php .phtml .phps
    AddHandler application/x-httpd-php .php .phtml
    AddHandler application/x-httpd-php-source .phps
</IfModule>
Lekensteyn
  • 64,486
  • 22
  • 159
  • 192
  • Thanks for your response. How do i include this in the php file, just copy and paste it the same way or do i have to do something else? And in other words you are saying no matter what nobody can download the files if the server is secure? – AAA Sep 13 '10 at 19:01
  • @AAA: This has nothing to do with the PHP script itself. It belongs in your apache configuration. – jwueller Sep 13 '10 at 19:03
  • 2
    @AAA relax. Chances are there is no problem at all. Every normal server configured to parse PHP files will *not* let people download the PHP source code. – Pekka Sep 13 '10 at 19:05
  • @pekka in that case i am set, i am using rackspace premier version. – AAA Sep 13 '10 at 19:09
  • @Lekensteyn I only now see and appreciate what your suggestion is doing. *Nice!* The first IfModule would be well suited as the standard .htaccess for any project for total safety – Pekka Sep 13 '10 at 19:12
  • @AAA I don't know that particular product but I assume it is a hosting service or a pre-configured virtual server - it's extremely likely everything is already configured correctly there. – Pekka Sep 13 '10 at 19:13
  • Doesn't adding the .phps handler actually open up the very hole the OP is looking to plug? – Marc B Sep 13 '10 at 20:11
  • @Marc B, files with a .phps extension will be shown anyway. Adding the `application/x-httpd-php-source` handler will just add a nice syntax highlighting to the file. – Lekensteyn Sep 14 '10 at 14:56
  • Will this prevent a simple download using wget? And is there any other way to prevent download, because I am on a shared hosting server and I believe I do not have access to .conf or .htaccess files. – Chiwda Aug 30 '12 at 10:05
  • @Chiwda You cannot prevent a client from downloading files if that is what you mean by "a simple download using wget". To prevent PHP files from being downloaded, the server needs to be well-configured. If you are really worried about your source code getting lost, do not use shared webservers. – Lekensteyn Aug 30 '12 at 12:05
  • It doesn't matter if your server is shared or not, well-configured or not. Wget can retrieve any file from any server as long as you know the path. However, I have discovered that wget using http does not give you PHP source, but it can for example give you javascript source or HTML. I have not had the time to investigate, but I assume there is an equivalent FTP version that can get you the original file. – Chiwda Sep 02 '12 at 15:41
  • @Chiwda If a web browser can show the file, then of course wget can retrieve it too, wget is just a client. PHP files are processed by the webserver (e.g. Apache), FTP servers only share the file without trying to execute a file. Being able to request a PHP server on the webserver does not imply that a FTP server is available for retrieving the PHP source code. **PHP is a server-side language** whereas HTML and Javascript are processed locally on the clients computer. – Lekensteyn Sep 02 '12 at 19:13
  • I will ignore the condescension - I really do know the difference between server side and client side technologies. I also know that an FTP server may not be available (but have you ever used a Webserver without aan FTP server to use for publishing?). I am engaging in a discussion because I have a real problem and need a real solution. If people can download my files, there is really no security to my application. In fact, I did find that wget has an ftp option. Of course if you don't have anonymous access enabled, it prolly won't help, but it is still a security hole. – Chiwda Sep 03 '12 at 12:24
  • @Chiwda I am actually using a webserver without FTP. FTP is insecure, I use SFTP which goes over an encrypted SSH channel. Where is the doubt? People cannot get your PHP source from HTTP unless the server is severly misconfigured. – Lekensteyn Sep 03 '12 at 12:33
11

Under normal circumstances, nobody is able to download PHP source code, since it is executed on the server. The webserver recognizes PHP scripts and passes them to PHP. The result is then passed back to the browser of the requesting user. The situation you described can only be achieved, if the webserver configuration is really messed up.

jwueller
  • 30,582
  • 4
  • 66
  • 70
  • Would +1 if I had votes left - this is probably everything there is to say, there probably is no problem at all – Pekka Sep 13 '10 at 19:06
  • "Under normal circumstances" - an additional [safe guard](http://en.wikipedia.org/wiki/Defense_in_depth_(computing)) is always useful in case something *really* goes wrong. (a car should not crash, but in case of a crash, the driver will have seatbelts and air bags protecting him) – Lekensteyn Sep 14 '10 at 14:59
  • @Lekensteyn: You are right. As i said in the comments to the question, i really like your solution. – jwueller Sep 14 '10 at 15:37
2
<?php
header('Content-disposition: attachment; filename=http://www.victim.com/phpfile.php');
header('Content-type: application/pdf');
readfile('http://www.victim.com/phpfile.php');
?>
paul
  • 21
  • 1
1

Under normal circumstances, nobody is able to download PHP source code (same as the other answer), But if you have a file with a different extension example : page1.bak and you have a page1.php, the page.bak gets downloaded if you just put in the url ht..//.../page1

I have confirmed this with PHP version 5.3.10-1ubuntu3.2 and Apache/2.2.22 In summary avoid putting your config or test files in the production directory unless you want them to be downloaded in raw state.

The Option Multiview should also be disabled in apache2.conf or httpd.conf to avoid defaulting to returning "near-like" filename.

kalabog76
  • 21
  • 2
1

You never download the php file from a web server running php. You can donwload the HTML delivered from the php like in this answer. You don't get php script you get HTML + JavaScript (if some)

<?php
header('Content-disposition: attachment;
filename=http://www.victim.com/phpfile.php');
header('Content-type: application/pdf');
readfile('http://www.victim.com/phpfile.php');
?>
lisandro
  • 454
  • 4
  • 12