Page 1 of 1

Need help preventing PHP code leakage

Posted: Fri Oct 01, 2010 12:25 pm
by meefozio
[NOTE: I previously had this post in the security section but nobody responded to it.]

Hi all,

I've been reading about and implementing many PHP security measures before I launch my site, but I'm not finding a lot of information on preventing PHP code leakage. If you google "facebook code leakage," you get a bunch of matches explaining how their homepage PHP code was displayed for all to see. Most people are saying it is related to mod_php not being available.

If you google "prevent PHP code leak" or variations of that, you don't get a whole lot of useful tactics. A few websites mention using mod_security to prevent code leakage, and another recommends using htaccess to detect if mod_php is available before sending data out.

I'm leaning towards putting the following lines in htaccess, but I'm hesitant because the solution is not widely published:

<ifmodule !mod_php5.c>
<filesmatch ?\.php$?>
Order allow,deny
Deny from all
Allow from none
</filesmatch>
</ifmodule>

So I guess what I want to know is: what is the best or most common way to prevent code leakage?

Thanks,

meefozio

Re: Need help preventing PHP code leakage

Posted: Fri Oct 01, 2010 3:09 pm
by yacahuma
are you asking about a facebook application? There is no way to see php source code if your files ends in .php and you have the interpreter installed correctly.

Re: Need help preventing PHP code leakage

Posted: Fri Oct 01, 2010 4:47 pm
by meefozio
No, I'm not asking about a Facebook application. What I was trying to say is that once upon a time, Facebook experienced a problem where its PHP files were being sent out unprocessed for the whole world to see. It apparently can happen when mod_php is unavailable.

I just wanted to know if there is a way to prevent this situation or handle it if it happens to occur on my own website.

Re: Need help preventing PHP code leakage

Posted: Fri Oct 01, 2010 5:26 pm
by yacahuma
anyone can verify this. I never heard of it.

Re: Need help preventing PHP code leakage

Posted: Fri Oct 01, 2010 7:34 pm
by califdon
I am certainly not a security expert, but I don't think you have anything to worry about. I had never heard of "PHP code leakage" either, and when I used your suggestion of searching for the phrase, immediately found a blog discussing an incident involving Facebook in 2007, along with a direct quotation from Facebook:
“A small fraction of the code that displays Facebook web pages was exposed to a small number of users due to a single misconfigured web server that was fixed immediately. It was not a security breach and did not compromise user data in any way.
My conclusion is that if your server is configured properly, there is no risk, especially since it is obviously a very rare event, since there are almost no references to any but this one incident.

Re: Need help preventing PHP code leakage

Posted: Fri Oct 01, 2010 9:27 pm
by requinix
califdon wrote:My conclusion is that if your server is configured properly, there is no risk, especially since it is obviously a very rare event, since there are almost no references to any but this one incident.
That.

"code leakage" only happens if the code does not get interpreted. If it does not then 80%: the server is improperly configured and 20%: a developer dun goofed (eg, used readfile instead of include, named something .inc instead of .php).

Re: Need help preventing PHP code leakage

Posted: Sat Oct 02, 2010 2:31 pm
by meefozio
So, in the event that the server is improperly configured or I make some other kind of screw-up, how can I prevent the code from leaking? I do not want to risk the PHP code showing, even if it is a very rare event. Would the following htaccess snippet work?
meefozio wrote:<ifmodule !mod_php5.c>
<filesmatch ?\.php$?>
Order allow,deny
Deny from all
Allow from none
</filesmatch>
</ifmodule>

Re: Need help preventing PHP code leakage

Posted: Sat Oct 02, 2010 7:56 pm
by requinix
What if PHP is set up as a CGI application?
What if that configuration has a flaw?
There are too many what-ifs for such a tiny risk.

If it would be the end of the world to have some PHP code exposed then don't put it in the webserver's document root.