| Re: Forum displays PHP code, not website [message #177384 is a reply to message #177383] |
Fri, 23 March 2012 02:51   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 3/22/2012 10:23 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:jkg6cn$mjd$1(at)dont-email(dot)me...
>
>> On 3/22/2012 4:43 PM, M. Strobel wrote:
>
>>> Hmm - shure? He said "PHP application on the server was missing or
>>> defective?".
>>
>>> Missing not, the code was displayed. Defective? Only when the
>>> application
>>> printed out PHP code - well, unlikely, but not impossible.
>
>> Yes, it could be an application problem. For instance, using
>> short_open_tags in the code and an update to the server disabled them.
>
> Well, it seems fine now, and it's not my server. Thanks for the variety
> of comments. I do have a few PHP pages on my websites, and I think they
> are well protected enough that the server would never display the code -
> at least I hope so, because I have passwords hard coded in them. They
> are in directories which have permissions set to 711, so the contents
> should never be readable by the public. When I have had configuration
> problems, generally I have gotten an error message or not even that.
> What I have is not very sensitive or critical but I do have some
> concerns because I don't really know this stuff well enough for full
> confidence.
>
But having the passwords in files which are publicly accessible is very
dangerous - as you have seen. And just because it's never happened to
you before doesn't mean it can't and won't. It might even be tomorrow.
> Just yesterday I had problems with email on my Dreamhost server, and I
> noticed that the logs seemed to be missing and not updated since last
> August. But apparently there was a change which now requires SFTP / SSH.
> I downloaded and installed WinSCP per Dreamhost's recommendation but
> found that I can also use FileZilla, so I'll stick with that.
>
> I have a php file for which I have set permissions 711. If the PHP
> executable or the configuration had problems, would the source be visible?
> http://www.muttleydog.com/RandomQuoteImage.php
>
> Thanks,
>
> Paul
PHP scripts are not executable files (unless they are CLI and start out
with a shebang) and should not be set as executable.
And yes, a problem similar to what you saw will expose your code. The
webserver can (and has to be able to) read it so a misconfiguration will
make it visible.
You really need to study up on security and basic Unix administration.
There are already too many PHP sites with poor security (like one I'm
working on right now).
Working on the web is like playing with dynamite. You can be OK for a
long time, but eventually a cap could explode and blow your hand off (or
worse).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]