PHP security : retrieving PHP file from server, un-processed

Question

Is there really a way to do this ? Retrieving raw .php file from the server (other than getting into server\'s FTP account) ? Is this the reason why there are tools/script t

Answer 1

Generally speaking, you can't access remote source code. The PHP module would have to be disabled for this to occur.

But as a thought experiment, how might this happen?

Leaving aside wholesale exploits which get access to the entire filesystem, imagine if there were a security hole in an application which allowed you to insert an line into an .htaccess file. Given that an .htaccess writable by the httpd process is useful for apps like Wordpress, it's not too outlandish a possibility.

If you added this:

php_value engine off

The source files now become downloadable!