PHP source code was shown on the webpage - security issue ?

[newbie2008]

Hi Till,

I am not sure this is my setting problem, I am using ISPConfig version 2.2.24

1) I have enable php globally and uncheck the PHP Scripts and PHP Safe Mode options in one of my virtual site, say www.example.com
2) There is a test.php program in the /var/www/example.com/web/

When I visit the virtual site www.example.copm/test.php, the source code of test.php shows up. I feel very unsafe that the php source code reveal to any visitors?

[till]

This is a problem with your settings.

1) If you uncheck the php option in the site settings then PHP is disabled and you see the sourcecode. hats the intended behaviour of disabling PHP Enable it and it in the site settings and it should work properly. You can not enable php globally, take a look at the perfect setup guide and configure your server properly as described there.

[newbie2008]

Quote:

Originally Posted by till

This is a problem with your settings.

1) If you uncheck the php option in the site settings then PHP is disabled and you see the sourcecode. hats the intended behaviour of disabling PHP Enable it and it in the site settings and it should work properly. You can not enable php globally, take a look at the perfect setup guide and configure your server properly as described there.

Sorry that I have typo, actually I have disabled PHP Globally before. Here is my /etc/httpd/conf.d/php.conf as

# AddType application/x-httpd-php .php
# AddType application/x-httpd-php-source .phps

so, is it inevitable to show the php source code or I must remove any .php programs under /web ? This might be inconvenience for temporary disable php function per virtual website!

[newbie2008]

Quote:

Originally Posted by newbie2008

Sorry that I have typo, actually I have disabled PHP Globally before. Here is my /etc/httpd/conf.d/php.conf as

# AddType application/x-httpd-php .php
# AddType application/x-httpd-php-source .phps

so, is it inevitable to show the php source code or I must remove any .php programs under /web ? This might be inconvenience for temporary disable php function per virtual website!

Again, by experiment I found that if "AddType application/x-httpd-php .php" was remarked in /etc/httpd/conf.d/php.conf, and disable (uncheck) the php script of one virtual site (www.example.com) in ispconfig UI, the .php program source will be displayed on that website; like www.example.com/test.php.
I have tried php4 and php5 in different server, will there be any gentlemen/ladies give me an advice?

[falko]

Which distribution are you using?

[newbie2008]

Quote:

Originally Posted by falko

Which distribution are you using?

Hi falko, I have two severs; ServerA using CentOS4.6 + Apache2.0 + PHP4 and ServerB using CentOS4.7 + Apache2.0 + PHP5. Both using ISPConfig 2.2.24, some php version captured here:

for ServerA
php-xmlrpc-4.3.9-3.22.12
php-mysql-4.3.9-3.22.12
php-ldap-4.3.9-3.22.12
php-odbc-4.3.9-3.22.12
php-gd-4.3.9-3.22.12
php-devel-4.3.9-3.22.12
php-imap-4.3.9-3.22.12
php-pear-4.3.9-3.22.12
php-4.3.9-3.22.12

and for ServerB
php-ldap-5.1.6-3.el4s1.9
php-pear-1.4.11-1.el4s1.1
php-odbc-5.1.6-3.el4s1.9
php-pdo-5.1.6-3.el4s1.9
php-xml-5.1.6-3.el4s1.9
php-imap-5.1.6-3.el4s1.9
php-cli-5.1.6-3.el4s1.9
php-mysql-5.1.6-3.el4s1.9
php-devel-5.1.6-3.el4s1.9
php-5.1.6-3.el4s1.9
php-gd-5.1.6-3.el4s1.9
php-common-5.1.6-3.el4s1.9
php-xmlrpc-5.1.6-3.el4s1.9

I have followed the installation guide
http://www.howtoforge.com/centos-4.6...-ftp-ispconfig
for /etc/httpd/conf.d/php.conf which only with this

In ServerA
LoadModule php4_module modules/libphp4.so
DirectoryIndex index.php

and in Server B
LoadModule php5_module modules/libphp5.so
DirectoryIndex index.php

Does this information help?