security question

Hi Folk

If I have a file in the public html directory (e.g. mypage.php) then can
anyone read this file (i.e. read its actual content rather then the
interpreted contents it returns when someone opens
www.myurl.com/mypage.php)?

If so, how do they do that?

TIA

- Nicolaas

Hi,

Unless they have a login to your server, then no they can't. They see
exactly what you see through a browser.

(If they have access to the server however they can see the code).

windandwaves wrote:[color=blue]
> Hi Folk
>
> If I have a file in the public html directory (e.g. mypage.php) then can
> anyone read this file (i.e. read its actual content rather then the
> interpreted contents it returns when someone opens
> www.myurl.com/mypage.php)?
>
> If so, how do they do that?
>
> TIA
>
> - Nicolaas
>
>
>
>[/color]

windandwaves wrote:[color=blue]
> Hi Folk
>
> If I have a file in the public html directory (e.g. mypage.php) then can
> anyone read this file (i.e. read its actual content rather then the
> interpreted contents it returns when someone opens
> www.myurl.com/mypage.php)?
>
> If so, how do they do that?[/color]
if your webserver is not configured to interpret files with the file
extension php by passing them to PHP, then it will most likely display
/mypage.php as plain text when it is requested.

s

If PHP is misconfigured or otherwise fails to run then the file will
not be processed by the engine resulting in the contents of the file
being exposed in plain text format. If everything is configured
correctly and the PHP files are parsed only the output will be received
through the HTTP server.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

windandwaves wrote:
[color=blue]
> If I have a file in the public html directory (e.g. mypage.php) then can
> anyone read this file (i.e. read its actual content rather then the
> interpreted contents it returns when someone opens
> www.myurl.com/mypage.php)?[/color]

Not in most cases. As it has been already said, .php files are interpreted
and run, not read, if the webserver configuration is right.
[color=blue]
> If so, how do they do that?[/color]

A way to circumvent this is to make use of some unsecure script that is able
to read files from the server and output it to the client with no or little
checks, something like:

www.myurl.com/download.php?file=../../mypage.php
http://www.myurl.com/download.php?fi.../../etc/passwd

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

http://acm.asoc.fi.upm.es/~mr/ ; http://acm.asoc.fi.upm.es/~ivan/
MSN:i_eat_s_p_a_m_for_breakfast@hotmail.com
Jabber:ivansanchez@jabber.org ; ivansanchez@kdetalk.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD3UGQ3jcQ2mg3Pc8RAi40AJ9lvrg5A/oW6MPGkQq7SM7DCeSyIgCffGTw
r182OPuOJZtW21YG9g59g3g=
=ut0r
-----END PGP SIGNATURE-----