Coding Article :: Preventing raw PHP leaks on Apache

JavaScript is not enabled on your browser and in order to properly use Coder Profile JavaScript is required.
To view instructions on how to enable JavaScript on your browser click here.

Preventing raw PHP leaks on Apache
Web Development

Some of you may know that plain unparsed PHP files are sent from the server to the person browsing your website. This is down to the way in which mod_php is implemented in Apache. Facebook have suffered from their servers spitting out unparsed PHP, and many more may unknowingly be rarely spitting out PHP files as well! So, the purpose of this article is to show you how you can secure your PHP code on to your server and make sure people never get hold of your PHP files!

Includes Outside Web Root

All your include files such as database connection details and so on should all be outside your webroot. When this can not be done you may use a htaccess file in the includes folder with the following to prevent access to those files (but PHP will still be able to include them as normal).

Code :: .htaccess

Copy / Restore

Order deny,allow
Deny from all

Default File Type

This is mainly for when or if you change the file extension from php to a misspelling for example index.ph… in which case by default it would send the visitor to your site the PHP as a plain text file. Adding DefaultType application/x-httpd-php to your httpd.conf file or to your htaccess file will make sure all files are parsed with the PHP engine regardless of their file extension.

Note: Having to parse every file with PHP will have a small impact on the speed of the server, but not much.

Mod Security

Also know as mod_security can be used to check all output of the server. So you could make mod_security check for a PHP comment like:

Code :: top of all php files

Copy / Restore

<?php // ### UNPARSED PHP – DO NOT SEND TO THE VISITOR ###// ?>

And if it is found it will NOT send the visitor the file! However if the file has been parsed by PHP then the comment would not be included in the output and so mod_security would not deny access and everything would run as it should. Adding that comment to all your PHP files will ensure that they are ONLY sent to the visitor to your site if they have been parsed by the PHP engine.

Encoding

Should the worst happen and your raw PHP files get sent to the visitor then there is another level of protection. If you encode your files first using a PHP encoder then the visitor will just get a load of encoded data instead of PHP code! Although encoders do cost money they do add an extra level of security as well as speed increases in most cases and offer just that piece of mind should the worst happen.

Kind regards,
Scott

Posted By VBAssassin

Please login to rate coding articles.

Click here to register a free account with us.

Attached Image