Raymond Raymond 9 9 silver badges 10 10 bronze badges. It will only download if the file name is strictly local and without the url. If non-local or local but with URL even for the same server , it will fail; the download happens but the codes are not there.
Jan Dragsbaek Jan Dragsbaek 7, 2 2 gold badges 23 23 silver badges 45 45 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast what if you could invest in your favorite developer? Who owns this outage? Building intelligent escalation chains for modern SRE.
Featured on Meta. Viewed k times. I told my developer to move it away from public folder but he said there is no risk as files are php files and even if someone types in browser the www. Improve this question. Petja Zaichikov Petja Zaichikov 1 1 gold badge 4 4 silver badges 3 3 bronze badges. Its correct provided the php settings are correct which is easy enough to verify. There are tons of resources which explain what settings features should be enabled and disabled when using PHP and the values certain settings should be i.
XSS is client side, there is no way in which this could ever be used to read source code on the server. If you think this is possible you need to lean more about XSS, this is a very serious venerability and not understanding the basics of this venerability is extremely dangerous. It's relatively easy to make a configuration mistake that will temporarily disable PHP execution, so why take the risk?
For any decent app the only thing that needs to reside in the public folder is an index. Everything else should be one directory above that is not accessible from the outside. Add a comment. Active Oldest Votes. SQL Injection under mysql can be used to read source code. Improve this answer. Community Bot 1. FTP means that source code is transmitted in plain text Rook Gopher still exists. FTP will always exist. The question is why people still use it.
And the answer probably has to do with the fact that SFTP requires a shell account or rssh, etc an isn't supported on Windows. Searching through config files for hardcoded passwords is seriously the easiest way to priv-esc and pwn networks Rook - LFI is entirely possible. Imagine e. I've already tried grabbing it via PHP, however in reading the file the server executes it and the same error is returned- Same as viewing it via HTML Firefox or whatnot.
Good suggestions though, I appreciate the help! If anyone could get php files from another server that would be an extremely huge security hole. Long answer: Unless the host has some sort of an issue with rendering PHP files due to a strange setup rare, but occasional - most often due to an error it's impossible to download the source of a PHP file. For good reason. The only way to figure out how it's handling a post without viewing the actual source is to experiment and try and estimate what kind of checks are being run on it by trying different types of data and seeing what the result is.
Travis , May 27, Your config file looks proper. I have this issue too… Same config… My droplet is www. Referenced it from a working server, then ran a quick search for additional info. Kamal, thank you for your answer. I keep downloading the index. Make sure you already installed it by typing php -v. If there is no version information about your PHP, then you should install it with:.
Where would you like to share this to? Twitter Reddit Hacker News Facebook. Share link Question share link. Sign Up.
0コメント