Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Aug 2010
    Location
    Now Southern Oregon. I was born and had lived my life in Los Angeles until relocating last year (2010)
    Posts
    215
    Thanks
    52
    Thanked 1 Time in 1 Post

    referencing php code file from a remote server?

    I have not had a reason to address this issue but now I do:
    is it possible to read a php code file from a remote server by
    code with
    Code:
    require(<absolute url to remote php code file>)
    will this need ftp user or server user permissions?
    And if so, is it possible to reproduce the code in a readable document?
    I am concerned about access to code that otherwise would not be readable
    because the code file does not have any instruction to print of echo anything.

    For instance I could use a browser to request "someSite.com/somePHPcode.php
    and somePHPcode.php will not reveal anything unless it contains a
    call to hiliteFile of hiliteSting or code file global scope call to print or echo.
    but if a reference to a code file is revealed in a error resulting from a call to
    include or require then is it possible to retrieve the hidden code from a
    remote location with the above script>>>> or call to hiliteFile for that matter

    I dug through my copy of the php manual to find the correct function call: hightlight_file()
    I also set up a test from a local dev server but I do not have static ip addresses so I don't know if this
    really worked. The test code calls the various functions from the local browser via local server and errors
    are returned to the effect of not being able to find a suitable wrapper. I am using a file that exists on my own site
    to see if I can hack it and read the code. The php error log on my site has numerous errors listed from altered url requests
    that appear to be intended to produce error messages. Thus I am concerned about remote knowledge of code file names
    that might be accessed directly to read the code by unauthorized entities.
    Last edited by anotherJEK; 05-22-2013 at 05:26 AM. Reason: further investigation and info

  • #2
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,343
    Thanks
    13
    Thanked 349 Times in 345 Posts
    To access PHP source code of a remote server you have to bypass its PHP interpreter (or for that matter, the server’s directive to pass a file through the PHP interpreter before sending it out). For that matter FTP would do that, Sockets maybe as well, but not HTTP.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #3
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,076
    Thanks
    11
    Thanked 98 Times in 96 Posts
    you could have a script getfile.php?v=file , & getfile.php could use highlight_file or other return the contents of the then local file but how to protect that from just anyone accessing the file I am unsure, you could restrict that script to an IP address or send the data back encrypted and then decrypt it locally or as Dormilich suggests run a socket server with authentication ...but all of the above seem an awful lot of work.
    FTP etc I would have thought would be far too slow, depends on what you are using this routne for.
    a samba or ssh share might work... but again lots of work
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #4
    Regular Coder
    Join Date
    Aug 2010
    Location
    Now Southern Oregon. I was born and had lived my life in Los Angeles until relocating last year (2010)
    Posts
    215
    Thanks
    52
    Thanked 1 Time in 1 Post

    Thank you

    I am only concerned that php files listed in error messages might be read
    from a remote location. I am not trying to set up a system to do that. I gather
    that a hacker would have to go through all this work to try to read a script file
    remotely. So I am probably safe just to fix the code producing the errors and not
    bother changing all the script file name, and revising all the code that references them.
    I do not have anything to hide except for the code I labored
    to develop and possibly the servers security.

  • #5
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,343
    Thanks
    13
    Thanked 349 Times in 345 Posts
    as long as you don’t have XSS attack vectors open (or your access passwords leaked), I see no reason why the mere knowledge of the file name and path should harm you. that is information browsers also need to know.

    ok, non-PHP files (like .ini files) must be protected separately.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •