PHP source code was shown on the webpage - security issue ?

Discussion in 'Tips/Tricks/Mods' started by newbie2008, Mar 20, 2009.

  1. newbie2008

    newbie2008 New Member

    Hi Till,

    I am not sure this is my setting problem, I am using ISPConfig version 2.2.24

    1) I have enable php globally and uncheck the PHP Scripts and PHP Safe Mode options in one of my virtual site, say www.example.com
    2) There is a test.php program in the /var/www/example.com/web/

    When I visit the virtual site www.example.copm/test.php, the source code of test.php shows up. I feel very unsafe that the php source code reveal to any visitors?

    :eek:
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This is a problem with your settings.

    1) If you uncheck the php option in the site settings then PHP is disabled and you see the sourcecode. hats the intended behaviour of disabling PHP ;) Enable it and it in the site settings and it should work properly. You can not enable php globally, take a look at the perfect setup guide and configure your server properly as described there.
     
  3. newbie2008

    newbie2008 New Member

    Sorry that I have typo, actually I have disabled PHP Globally before. Here is my /etc/httpd/conf.d/php.conf as

    # AddType application/x-httpd-php .php
    # AddType application/x-httpd-php-source .phps

    so, is it inevitable to show the php source code or I must remove any .php programs under /web ? This might be inconvenience for temporary disable php function per virtual website!
     
  4. newbie2008

    newbie2008 New Member


    Again, by experiment I found that if "AddType application/x-httpd-php .php" was remarked in /etc/httpd/conf.d/php.conf, and disable (uncheck) the php script of one virtual site (www.example.com) in ispconfig UI, the .php program source will be displayed on that website; like www.example.com/test.php.
    I have tried php4 and php5 in different server, will there be any gentlemen/ladies give me an advice?
     
  5. falko

    falko Super Moderator Howtoforge Staff

    Which distribution are you using?
     
  6. newbie2008

    newbie2008 New Member

    Hi falko, I have two severs; ServerA using CentOS4.6 + Apache2.0 + PHP4 and ServerB using CentOS4.7 + Apache2.0 + PHP5. Both using ISPConfig 2.2.24, some php version captured here:

    for ServerA
    php-xmlrpc-4.3.9-3.22.12
    php-mysql-4.3.9-3.22.12
    php-ldap-4.3.9-3.22.12
    php-odbc-4.3.9-3.22.12
    php-gd-4.3.9-3.22.12
    php-devel-4.3.9-3.22.12
    php-imap-4.3.9-3.22.12
    php-pear-4.3.9-3.22.12
    php-4.3.9-3.22.12

    and for ServerB
    php-ldap-5.1.6-3.el4s1.9
    php-pear-1.4.11-1.el4s1.1
    php-odbc-5.1.6-3.el4s1.9
    php-pdo-5.1.6-3.el4s1.9
    php-xml-5.1.6-3.el4s1.9
    php-imap-5.1.6-3.el4s1.9
    php-cli-5.1.6-3.el4s1.9
    php-mysql-5.1.6-3.el4s1.9
    php-devel-5.1.6-3.el4s1.9
    php-5.1.6-3.el4s1.9
    php-gd-5.1.6-3.el4s1.9
    php-common-5.1.6-3.el4s1.9
    php-xmlrpc-5.1.6-3.el4s1.9

    I have followed the installation guide
    http://www.howtoforge.com/centos-4.6-server-lamp-email-dns-ftp-ispconfig
    for /etc/httpd/conf.d/php.conf which only with this

    In ServerA
    LoadModule php4_module modules/libphp4.so
    DirectoryIndex index.php

    and in Server B
    LoadModule php5_module modules/libphp5.so
    DirectoryIndex index.php

    Does this information help?
     
  7. falko

    falko Super Moderator Howtoforge Staff

    Looks ok. What's in your Vhosts_ispconfig.conf? Can you go to the directory where Vhosts_ispconfig.conf is located and post the output of
    Code:
    ls -la
    ?
     
  8. id10t

    id10t Member

    You could use a .htaccesss file to disable all access to *php
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    It is the intention that php source code is shown if you disable php, as php is DISABLED theb. So if you want to upload PHP files to a website you should enable php as it is absolutely useseless to upload php files to a website were you disabled php in the site settings.
     
  10. newbie2008

    newbie2008 New Member

    Dear all, Thanks all of your reply. What I want to disable PHP script under ISPConfig UI control panel is to let the PHP function temporary inaccessible (for internal php script development and testing). Okay, I will try other method or rename all those php programs for my temporary purpose.;)
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    If you rename a php script to another extension you will get the sourcecode too ;)

    If you want to deny a filetype then you can do this by adding some apache mod_access rules to the apache directives field of the website like this:

    <Files ~ "\.php$">
    Order allow,deny
    Deny from all
    </Files>
     

Share This Page