I was browsing through another, non-PHP related forum when I came across this post:

Haha, then you get an HTML version, the only way to steal a php script is to dload the file, its simple if you know how, just dload Download Accelator + and then you write the url to the file
and then you dload it... Easy

and immediately after that:

I know this becouse i was playing a hacking game on this place:

try2hack.nl (i think it was something like that)

I was curious, and replied with:

I dont think that will work out, you'll just be downloading the html page that is served.

The user then told me:

NOt if you enter a url like.. http://www.blabla.com/file.php

Now, I was not convinced so I went to download download accelerator plus, and tried it out on my own PHP pages.
As expected, I only downloaded the parsed page, i.e. clientside code.

I challenged the user to provide a proof-of-concept, e.g. the source code of the messageboard we were posting in.

There was no reply.

I am still curious as to whether such an exploit is possible.
Anyone succeeded in such an attempt at obtaining serverside code this way?
We are, of course, assuming the webserver is properly configured to parse PHP scripts.

No Exploit!

To use DAP or any other download acc. dont have any thing to do with the method used for relly downloadign...

DAP only open more then then normal 1 download tread, then more resources are dedicated to you.

The persons you have spoken to have been just COMPLETE newbies, and down know anything abot the construction of the net....

Originally posted by Truti
To use DAP or any other download acc. dont have any thing to do with the method used for relly downloadign...

DAP only open more then then normal 1 download tread, then more resources are dedicated to you.

in theory, yes.

but if you read his/her post, he/she appears to be speaking from experience, and that puzzles me.

Impossible, the user-agent has nothing to do with whether or not PHP code is parsed.

he/she may have been talking smart, but in the end, was a complete meathead...

if there was such an exploit, i don't think PHP would still be used...

if it is true, you should be able to do it with any server-side pages, but that isn't likely to happen...

Interesting enough to try though. I'll put it through the wringer when I get home tonight....

Originally posted by yuraupt
I suppose that guy just got file with php extension but with generated HTML inside. And he thought that he had stole the php source ... :p

Yeah, that is exactly what happened!

the only way to get the source for a php file is have it displayed on another page on the same server. any attempts to remotely access the file will have it parsed before it's sent.

uh huh

Originally posted by laserlight
in theory, yes.

but if you read his/her post, he/she appears to be speaking from experience, and that puzzles me.

ive done some research on this before - and actualy discussed it here too... there was some talk about a mysterious application that supposedly CAN accomplish such a download. but after more researching since then i highly doubt that there ios a effective way to actually get the php source without any server access of any kind. of course you never know whats gonna happen, but in my opinion there would be real havoc online as soon as a monster like this broke lose and we'd all notite fairly quickly (just think of all the passwords that could be grabbed that way)

nevertheless... i stumbled upon a page a while ago, which was running on a server that obviously experienced some problems at the time and didnt parse php files - since they were running phpBB i gave it a try and tried grabbing their db-config info no problem there either. so i emailed the username and password to the webmaster, suggesting him to get his page back together ;-)

I can't count how many times I've told people to store those things outside of their document root. It's just silly to keep that kind of info in there when it can so easily be moved outside.

Originally posted by LordShryku
I can't count how many times I've told people to store those things outside of their document root. It's just silly to keep that kind of info in there when it can so easily be moved outside.

the problem here is that not everyone has access to space outside document root.

in any case, I'll take it that the technical community here agrees with my opinion, so we all should be safe, at least until sid's mysterious program pops up

Well, just for grins, just tested it using download accelerator plus. Tried it with $GET vars, without, with anchors(#post10437859) Every php page I tried came out as parsed html. So yeah, he's full of it.

perhaps he 'misspelled' .phps?:rolleyes:

This site sometimes spews out a HTTP response at the top of the page. I have seen entire pages of source code before but only on websites that are broken.

I heard that there was a similar exploit on IIS once. But then that's another story.

Another thing he could have done was accessed the link on PHP.net which shows you the source code of the page

But anyone play try2hack.nl ?
I've played a local version try2hack.it and all hack are for
client-side protection (javascript, java, visualbasic, flash) or
for netbios and irc... nothing about servlet, asp and php...

However all the techniques are good to ack a real site.

(and lets me say "try2hack" word is missing from any search engine...)