13

Is it possible for someone to 'hack' an apache server and read PHP files. I understand that PHP is a server-side language and cannot be read from anywhere other than the server, but could someone hack the server and read them as if reading a text file?

PeeHaa
  • 71,436
  • 58
  • 190
  • 262
Joey Morani
  • 25,431
  • 32
  • 84
  • 131
  • This SO question has some more detailed answers about proper Apache configuration and ways to avoid this: [How to prevent PHP files from being downloaded?][so]. [so]: http://stackoverflow.com/questions/3703449/how-to-prevent-php-files-from-being-downloaded-and-what-are-some-ways-someone-c – BrianC Jan 04 '12 at 22:46

12 Answers12

12

Well yes, if they ever actually hack into the server (SSH, FTP etc.), they may have access to files on the hard disk. A properly configured Apache server will not serve raw PHP files though, it should always process them with the PHP interpreter first.

To avoid problems with misconfigured Apache servers though (even just temporary glitches), it's advisable to keep the application files outside the public webroot. Put only a small bootstrap PHP file into the webroot which may be exposed in a pinch, but which just includes other PHP files which are not publicly accessible.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • 2
    Thanks for the answer. That's what I'll do - I'll keep it outside the webroot. Something I don't understand is why people downvote anything here now. It's an honest question which I didn't know the answer to. Thanks again. :) – Joey Morani Jan 05 '12 at 00:29
  • You do need to "hack" anything to get access to files. A simple wget will get you any file from any server unless it is protected in some other way i.e. at the operating system or web server level. – Chiwda Aug 30 '12 at 11:38
  • 2
    @Chiwda Wut? You have it backwards. A simple `wget` will get you nothing *unless the file is explicitly publicly exposed through a web server.* – deceze Aug 30 '12 at 11:42
7

There are several options for someone to be able to read the PHP source files on a server.

  1. Think about a misconfiguration of the server
  2. A hack of the server
  3. Not opening the PHP file with <?php
  4. Temporary / backup files (Think index.php~ or index.php.bak)
  5. etc.

I understand that PHP is a server-side language and cannot be read from anywhere other than the server

That only means the files are processed on the server side. It doesn't mean the source is bound to the server in some way.

PeeHaa
  • 71,436
  • 58
  • 190
  • 262
  • 3
    +1 for backup files; it is unnervingly common. As is the aging practice of using an different file extension for "includes" or code-as-config e.g. "database.inc", "settings.conf". Directory traversal vulnerabilities and local file inclusion vulnerabilities are also common ways to accidentally cause source code disclosure. – Cheekysoft Jan 05 '12 at 10:10
2

This often happens when there is an apache misconfiguration. If you accidentally remove the extension handler for php files, they will be returned as plain text (happened to facebook years ago). For this reason, its best to only have a bootstrap file in your docroot (eg. index.php - <?php include '../private/not-in-docroot/file.php' ?>). So if php files aren't handled properly, only your bootstrap code will be public - app logic and configuration files will be safe.

tl;dr - Keep your code out of the docroot, only expose a bootstrap file

John Himmelman
  • 21,504
  • 22
  • 65
  • 80
2

NASA can be hacked. The FBI can be hacked. Your shared server can definitely be hacked.

Martin Bean
  • 38,379
  • 25
  • 128
  • 201
1

Yes, of course they could - if the server is penetrated then any file on it is visible.

Alnitak
  • 334,560
  • 70
  • 407
  • 495
0

Yes, it's entirely possible for someone to hack a server, via an exploit, or by stealing your password, or via buggy code you or others have written, or a number of different ways.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
0

If apache server has a security bug that allows unrestricted access to the filesystem, then any file that is accessible by apache user will be available trough the hole made by the bug.

Mircea Vutcovici
  • 1,894
  • 19
  • 27
0

Of course! You can read and edit the actual PHP on the server, right? So anyone who gets access to your server (via FTP, your web hosting control panel, a vulnerability in the PHP code you write) has potential to read through your PHP.

The only reason usual users don't see the PHP is because Apache goes: Ah! This file ends in .php! Let me run it through the PHP parser first! But that's easy enough to shut off.

Long story short: never store sensitive data on your web server. If you must, make sure it's encrypted.

benesch
  • 5,239
  • 1
  • 22
  • 36
0

If you hack the server you can get FTP access and read the files. You could also trick the server in thinking that files with *.php are not executed with PHP; the server would then offer the files to download if you want to access them (could also happen if the server is overloaded?).

Tobias
  • 9,170
  • 3
  • 24
  • 30
0

Of course they could, it could be done via FTP, or any other method that compromises the ability to 'restrict' the files from view.

However a PHP file will not be shown as text to someone if they just call it "index.php" will not display the unprocessed contents IF you have your server setup correctly.

Jakub
  • 20,418
  • 8
  • 65
  • 92
0

If your server has old software, or your php script consist some errors, some people can read your php script.

Artem Agasiev
  • 175
  • 1
  • 8
0

Your PHP Source could be seen by others IF

  • The Code Allows it
  • A Server is Running Without PHP Installed
  • The Server is not Properly Configured
  • AND (in some cases) An error occurs.

One of Facebooks servers was set up wrong and the PHP code was accessible and was leaked online. Check your server and code for security problems!

Adam Fowler
  • 1,750
  • 1
  • 17
  • 18