Download php script from Web Server with Directory Listing enabled

#1
chingupt

Posted 22 September 2010 - 11:06 PM

Newbie

Members
4 posts

Hi,

I have a small problem or lets say a doubt.
I was browsing my recently created web site and found that the directory listing was enabled.
The listing showed a php script which i had put up. But when i try to save that file, it does not allow me to. It gets redirected to another page.

In this script, i am sending out mails to my client and after sending the mail, it gets redirected to another page.

My question is:

Why am i unable to download the php script even though the directory listing is enabled?

#2
dbug

Posted 22 September 2010 - 11:23 PM

Programmer

Members
155 posts

Because you can view the files in a listing, but when you ask the HTTP server to access one of those files and it recognizes the file as a special kind (like a PHP script), the server executes it instead of returning its code.

To download the file you should change the extension from .php to other thing that the server doesn't recognize or use an FTP transfer.

#3
chingupt

Posted 22 September 2010 - 11:50 PM

Newbie

Members
4 posts

So it comes as kind of a security feature. That is if a unauthorized person sees this file, he/she will not be able to see the code. Right.

If that is the case, u mean there is no simple way of downloading the file?

#4
Orjan

Posted 22 September 2010 - 11:52 PM

Writes binary right handed and hex left handed

Moderators
3,299 posts

that's right.

__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall

#5
chingupt

Posted 22 September 2010 - 11:55 PM

Newbie

Members
4 posts

Thanks

Well there must some way of downloading this script !!! There is always a way around!!!

#6
dbug

Posted 22 September 2010 - 11:57 PM

Programmer

Members
155 posts

I don't view this as a security feature. It's only that the web server has been configured to execute a script when the extension of the requested file is .php. The web server has no way to determine if you want to download a file or execute it, so it does what he has been configured to do.

Maybe using webdav (but I'm not sure, I haven't worked much with it). Other posibilities are creating a custom script to download files (could be a security risk) or installing other services to transfer files, like FTP.

#7
Orjan

Posted 23 September 2010 - 12:35 AM

Writes binary right handed and hex left handed

Moderators
3,299 posts

no, of course it's not a real security feature, but in a way, it works like one. And no, there isn't a way around unless you have login rights to the server via ssh, ftp or other protocols

__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall

#8
bbqroast

Posted 16 October 2010 - 10:18 PM

Codecall Addict

Members
554 posts

thats what SSI means Server Side.
I mean imagine if i had a script like this: (its not real and won't work)

<?php

mysql_connect(localhost,admin,hyabhdsn)

if ($_POST['pass'] == $mysql(nuclear,scientists,pass)){

      FIREMISSILE()

} else {

      Error(bad_pass)

}

?>

I could download the script and steal the MySQL passwords then i would have access to the database :D

So of course their isn't a way around. Unless you break into the server.
This isn't like a microsoft "Shrug, anyone who wants to do that will know how bad IE is" its a "No".

Please, write clearly with proper structure. Double spacing makes the text feel un-jointed, Capitalizing Every Word Means People Stop Before Every Word Sub-Consciously Which Is A Pain In The Backside, and use code tags! (The right most styling box).