he/she may have been talking smart, but in the end, was a complete meathead...

if there was such an exploit, i don't think PHP would still be used...

if it is true, you should be able to do it with any server-side pages, but that isn't likely to happen...

    Interesting enough to try though. I'll put it through the wringer when I get home tonight....

      I suppose that guy just got file with php extension but with generated HTML inside. And he thought that he had stole the php source ... :p

        Originally posted by yuraupt
        I suppose that guy just got file with php extension but with generated HTML inside. And he thought that he had stole the php source ... :p

        Yeah, that is exactly what happened!

          the only way to get the source for a php file is have it displayed on another page on the same server. any attempts to remotely access the file will have it parsed before it's sent.

            Originally posted by laserlight
            in theory, yes.

            but if you read his/her post, he/she appears to be speaking from experience, and that puzzles me.

            ive done some research on this before - and actualy discussed it here too... there was some talk about a mysterious application that supposedly CAN accomplish such a download. but after more researching since then i highly doubt that there ios a effective way to actually get the php source without any server access of any kind. of course you never know whats gonna happen, but in my opinion there would be real havoc online as soon as a monster like this broke lose and we'd all notite fairly quickly (just think of all the passwords that could be grabbed that way)

            nevertheless... i stumbled upon a page a while ago, which was running on a server that obviously experienced some problems at the time and didnt parse php files - since they were running phpBB i gave it a try and tried grabbing their db-config info no problem there either. so i emailed the username and password to the webmaster, suggesting him to get his page back together ;-)

              I can't count how many times I've told people to store those things outside of their document root. It's just silly to keep that kind of info in there when it can so easily be moved outside.

                Originally posted by LordShryku
                I can't count how many times I've told people to store those things outside of their document root. It's just silly to keep that kind of info in there when it can so easily be moved outside.

                the problem here is that not everyone has access to space outside document root.

                in any case, I'll take it that the technical community here agrees with my opinion, so we all should be safe, at least until sid's mysterious program pops up 🙂

                  Well, just for grins, just tested it using download accelerator plus. Tried it with $GET vars, without, with anchors(#post10437859) Every php page I tried came out as parsed html. So yeah, he's full of it.

                    perhaps he 'misspelled' .phps?:rolleyes:

                      This site sometimes spews out a HTTP response at the top of the page. I have seen entire pages of source code before but only on websites that are broken.

                      I heard that there was a similar exploit on IIS once. But then that's another story.

                      Another thing he could have done was accessed the link on PHP.net which shows you the source code of the page 😃

                        But anyone play try2hack.nl ?
                        I've played a local version try2hack.it and all hack are for
                        client-side protection (javascript, java, visualbasic, flash) or
                        for netbios and irc... nothing about servlet, asp and php...

                        However all the techniques are good to ack a real site.

                        (and lets me say "try2hack" word is missing from any search engine...)

                          Write a Reply...