PHP client side vs server side [closed]

Question

I am currently working with PHP, just a beginner, but mainly interested in security issues regarding PHP. What I was wondering is "what does a client gets to see from the PHP files from a server".

So say for instance you have 1 sheet containing all your PHP code. You include the file and you call the function you want to use. What does the client sees from the sheet. Is it only the called function, just the output or something else?

The reason why I am interested is because I am wondering if a client could have the possibility to see what is truly being executed. So not only the outcome but also the content from the function itself, e.g. code being executed.

To put a vaguely story together. I am interested in how much you get to see as a client towards the server.

Thanks in advance!

PS: I am sorry If I am posting a duplicate question. But I couldn't find anything similar to my question

Answer 1

Considering the PHP is serverside nothing should be exposed to the client from the internal workings. Only the output (unless your server is wrongly configured and doesn't parse PHP files). To counter even this problem most people will just have an index.php file in their document root which includes a PHP file (bootstrap file) outside of the document root. This way even when the files aren't parsed by PHP the only thing accessible will be the file with require __DIR__ . '/../bootstrap.php'; in it.

However it might be possible to leak information when you have enabled error reporting (which you should always do) and you have enabled display errors.

An example of leaking infromation might look like this:

Fatal error: Uncaught exception 'Exception' with message 'Eeeeeeeek' in /path/to/Template/stream/stream.phtml:20 Stack trace: #0 /path/to/PitchBlade/src/PitchBlade/Mvc/View/View.php(179): require() #1 /path/to/PitchBlade/src/PitchBlade/Mvc/View/View.php(196): PitchBlade/Mvc/View/View->render('stream/stream.p...')

/path/to/View/Stream/Stream.php(46): PitchBlade/Mvc/View/View->renderPage('stream/stream.p...')

etc

You can find out for youself by "faking" an exception somewhere deep in your code:

<?php throw new \Exception('Eeeeeeeek'); ?>

If the entire stack trace will be displayed there is lots of information exposed.

Another common pitfall is renaming PHP files (for the purpose of backup or whatever) by changing the extension. E.g. rename index.php to index.php.bak. Now by default PHP doesn't parse the file anymore and it could be read from the client side as is.

Also note that (some?) webservers expose some information to the client (i.e. webserver type and sometimes version and php version used). Depending on the webserver this can be changed by the expose_php directive and by the directive for you used webserver. For apache you would add the following to the server config to prevent exposure of the webserver used (ServerTokens Prod and ServerSignature Off). Although people will often still be able to get at least some of this information by using a fingerprinting technique.

One last thing I can think of is users (or possible attackers) trying out the different PHP "easter eggs" by appending one of the following query strings:

?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
?=PHPE9568F34-D428-11d2-A769-00AA001ACF42

But IIRC this is also not possible when disabled php_expose.