====== Revealed Source Code Vulnerability ======

PHP library files stored in the web server document root without the PHP extension or if the PHP web server configuration disables interpretation of PHP scripts, may be displayed as raw PHP source code.  This will happen as the web server doesn't hand the source code to the PHP interpreter but instead treats the file as a normal file and transfers the file uninterpreted (i.e. the raw PHP source code) to the web browser.  This can compromise sensitive information or possibly reveal other targets for attack.

On a [[security:shared host or compromised system]] source code may be visible in the normal course of events due to standard file system permissions.  Also on shared hosting systems changed configurations for one user or site may compromise those of another site, such as disabling (temporarily or by accident) the PHP interpreter.

===== Remedy =====

  * Deploy source code in a byte-code encrypted format.
  * Seek a service-level agreement with your provider on the availability of services.
  * Deny access to confidential file via directives in your web server, and include it in outer file (by php's include()) with public access.

===== Additional Information =====

  * See [[security:web_application_security|web application security]] and [[catalog|security vulnerabilities catalog]].