Asked
Updated
Viewed
8.8k times

It was suggested that a malfunctioning web server could send unprocessed .php files to the client; potentially exposing sensitive code. Could an Apache file directive prevent sending .php files unless they were processed?

The Apache Files directive could prevent an extension completely, but that would prevent all PHP scripts.

For example, this Files directive (untested) matches files ending in .inc, denying requests for these files.

<Files ~ "\.(inc)$"> 
    Order allow,deny 
    Deny from all 
    Satisfy All 
</Files>

What if something similar was placed inside a test for a module?

<IfModule !mod_php4.c> 
    <Files ~ "\.(php)$"> 
        Order allow,deny 
        Deny from all 
        Satisfy All 
    </Files> 
</IfModule>

I am thinking that a failed PHP module could be tested and .php files could be conditionally blocked with the above htaccess instructions.

Should the server deny all PHP files if the module crashed and burned on startup? Could a solution similar to this be put into effect if the module crashed and burned after startup?

add a comment
1

1 Answer

  • Votes
  • Oldest
  • Latest
LE
20 0
Answered
Updated

The problem is, the webserver will send unparsed PHP to the client if the PHP module fails. Therefore, the solution should be module independent. I think the best try is using the filename/extension filter and using the desired PHP extensions strictly to name your files. That way you will be sure no PHP file will go to the cliente if PHP module fails.

For example, if you configure your server for using PHP, then you tell Apache to send .php and .php3 files to PHP module. If you are going to use .inc as an extra PHP file extension, then you must add .inc to PHP module configuration in the Apache .conf file. Then, as long as the PHP module works ok, there is no way to get to the PHP source code.

Here we need a fallback configuration, if the PHP module is not working, we should disallow .php, .php3, and .inc files from being downloaded.

Well, after trying a couple of things. It is really difficult to start Apache if the PHP module is broken. The only way I found was to disable the module. In this case, a piece of code already posted will work ok:

<IfModule !mod_php4.c>
 <Files ~ "\.php">
    Order allow,deny
    Deny from all
 </Files>
</IfModule> 

Adding the whole extensions list to the regular expression.

The valid test would be killing (somehow) the PHP module without killing the Apache server for checking if, in that case, the PHP code gets exposed. I think this is not an easy thing to happen. I wonder:

What kind of PHP script is too good to be worth the effort?

There are so many open source systems (written in PHP) out there that I can't think of a script doing something really original. For security matters, moving a few scripts to a safe (out-of-document root directory) location is enough.

add a comment
1