Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th March 2009, 04:17
newbie2008 newbie2008 is offline
Junior Member
 
Join Date: Feb 2009
Posts: 14
Thanks: 2
Thanked 0 Times in 0 Posts
Default PHP source code was shown on the webpage - security issue ?

Hi Till,

I am not sure this is my setting problem, I am using ISPConfig version 2.2.24

1) I have enable php globally and uncheck the PHP Scripts and PHP Safe Mode options in one of my virtual site, say www.example.com
2) There is a test.php program in the /var/www/example.com/web/

When I visit the virtual site www.example.copm/test.php, the source code of test.php shows up. I feel very unsafe that the php source code reveal to any visitors?

Reply With Quote
Sponsored Links
  #2  
Old 20th March 2009, 08:52
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

This is a problem with your settings.

1) If you uncheck the php option in the site settings then PHP is disabled and you see the sourcecode. hats the intended behaviour of disabling PHP Enable it and it in the site settings and it should work properly. You can not enable php globally, take a look at the perfect setup guide and configure your server properly as described there.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 21st March 2009, 03:47
newbie2008 newbie2008 is offline
Junior Member
 
Join Date: Feb 2009
Posts: 14
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
This is a problem with your settings.

1) If you uncheck the php option in the site settings then PHP is disabled and you see the sourcecode. hats the intended behaviour of disabling PHP Enable it and it in the site settings and it should work properly. You can not enable php globally, take a look at the perfect setup guide and configure your server properly as described there.
Sorry that I have typo, actually I have disabled PHP Globally before. Here is my /etc/httpd/conf.d/php.conf as

# AddType application/x-httpd-php .php
# AddType application/x-httpd-php-source .phps

so, is it inevitable to show the php source code or I must remove any .php programs under /web ? This might be inconvenience for temporary disable php function per virtual website!
Reply With Quote
  #4  
Old 21st March 2009, 13:41
newbie2008 newbie2008 is offline
Junior Member
 
Join Date: Feb 2009
Posts: 14
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by newbie2008 View Post
Sorry that I have typo, actually I have disabled PHP Globally before. Here is my /etc/httpd/conf.d/php.conf as

# AddType application/x-httpd-php .php
# AddType application/x-httpd-php-source .phps

so, is it inevitable to show the php source code or I must remove any .php programs under /web ? This might be inconvenience for temporary disable php function per virtual website!

Again, by experiment I found that if "AddType application/x-httpd-php .php" was remarked in /etc/httpd/conf.d/php.conf, and disable (uncheck) the php script of one virtual site (www.example.com) in ispconfig UI, the .php program source will be displayed on that website; like www.example.com/test.php.
I have tried php4 and php5 in different server, will there be any gentlemen/ladies give me an advice?
Reply With Quote
  #5  
Old 21st March 2009, 21:30
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Which distribution are you using?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 22nd March 2009, 06:02
newbie2008 newbie2008 is offline
Junior Member
 
Join Date: Feb 2009
Posts: 14
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko View Post
Which distribution are you using?
Hi falko, I have two severs; ServerA using CentOS4.6 + Apache2.0 + PHP4 and ServerB using CentOS4.7 + Apache2.0 + PHP5. Both using ISPConfig 2.2.24, some php version captured here:

for ServerA
php-xmlrpc-4.3.9-3.22.12
php-mysql-4.3.9-3.22.12
php-ldap-4.3.9-3.22.12
php-odbc-4.3.9-3.22.12
php-gd-4.3.9-3.22.12
php-devel-4.3.9-3.22.12
php-imap-4.3.9-3.22.12
php-pear-4.3.9-3.22.12
php-4.3.9-3.22.12

and for ServerB
php-ldap-5.1.6-3.el4s1.9
php-pear-1.4.11-1.el4s1.1
php-odbc-5.1.6-3.el4s1.9
php-pdo-5.1.6-3.el4s1.9
php-xml-5.1.6-3.el4s1.9
php-imap-5.1.6-3.el4s1.9
php-cli-5.1.6-3.el4s1.9
php-mysql-5.1.6-3.el4s1.9
php-devel-5.1.6-3.el4s1.9
php-5.1.6-3.el4s1.9
php-gd-5.1.6-3.el4s1.9
php-common-5.1.6-3.el4s1.9
php-xmlrpc-5.1.6-3.el4s1.9

I have followed the installation guide
http://www.howtoforge.com/centos-4.6...-ftp-ispconfig
for /etc/httpd/conf.d/php.conf which only with this

In ServerA
LoadModule php4_module modules/libphp4.so
DirectoryIndex index.php

and in Server B
LoadModule php5_module modules/libphp5.so
DirectoryIndex index.php

Does this information help?
Reply With Quote
  #7  
Old 22nd March 2009, 14:52
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Looks ok. What's in your Vhosts_ispconfig.conf? Can you go to the directory where Vhosts_ispconfig.conf is located and post the output of
Code:
ls -la
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 22nd March 2009, 15:32
id10t id10t is offline
Senior Member
 
Join Date: Nov 2008
Posts: 237
Thanks: 2
Thanked 22 Times in 22 Posts
Default

You could use a .htaccesss file to disable all access to *php
Reply With Quote
  #9  
Old 22nd March 2009, 18:05
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

It is the intention that php source code is shown if you disable php, as php is DISABLED theb. So if you want to upload PHP files to a website you should enable php as it is absolutely useseless to upload php files to a website were you disabled php in the site settings.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 23rd March 2009, 04:30
newbie2008 newbie2008 is offline
Junior Member
 
Join Date: Feb 2009
Posts: 14
Thanks: 2
Thanked 0 Times in 0 Posts
 
Default

Quote:
Originally Posted by till View Post
It is the intention that php source code is shown if you disable php, as php is DISABLED theb. So if you want to upload PHP files to a website you should enable php as it is absolutely useseless to upload php files to a website were you disabled php in the site settings.
Dear all, Thanks all of your reply. What I want to disable PHP script under ISPConfig UI control panel is to let the PHP function temporary inaccessible (for internal php script development and testing). Okay, I will try other method or rename all those php programs for my temporary purpose.
Reply With Quote
Reply

Bookmarks

Tags
php, security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ffmpeg Video support for ubuntu 7.10 [suphp-ispconfig] amaurib Installation/Configuration 13 16th February 2010 17:26
ISP Config hesitation when opening web pages frankb Installation/Configuration 7 15th December 2008 13:06
ispconfig php 5 errors itamarjp Installation/Configuration 8 25th April 2008 10:20
network issues now it says "401 The web site is blocked by administrator" Check General 3 26th February 2008 14:22
Apache2 Freezes celtic Server Operation 31 28th May 2007 17:18


All times are GMT +2. The time now is 02:11.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.