I'm sure I'm doing something dumb, but I can't tell what it is.
On my remote host, I have a subdir with a bunch of files.
When I request this directory, I can see a listing of the files within this dir.
However, if request any file suffixed .php, my browser says that the resource is not available. Firefox tells me that it can't find the file I requested.
I guess that this is a permissions issue.
For testing purposes, I have set the permissions as permissively as possible.
What could be causing this?
Resource not available (HTTP 503) depends a lot on your server configuration. If you are using a FastCGI version of PHP, have you started the FastCGI backend? If you are using Apache and mod_php, are there errors in the Apache logs?
What web server are you using? Has it been able to serve PHP files before?
if apache, make sure you have something similar to this in your config:
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
</IfModule>
Related
Everything was going great until I added AddHandler application/x-httpd-php5s .php to the .htaccess file in my local server's document root (which I change frequently depending on the site I'm working with). Since I did that when I visit http://localhost:8888 my browser just downloads the index.php and it's not processed at all, just the raw code. Now I removed that line from the .htaccess file but I'm still having this problem.
I've found that if I add an alternative entry to my hosts file for 127.0.0.1 the new entry behaves like 'localhost' used to. But if I add the line above to my .htaccess it knocks out that new host as well. I've tried reinstalling MAMP and clearing its caches and all the temporary files I could find. I surfed through Apache's httpd.conf file all to no avail.
So, to be clear: http://localhost:8888 is experiencing the above problem. If I add a new entry to my hosts file for 127.0.0.1, say 'goomba' and the above line is not in the root .htaccess (and has never been for that host/alias/whatever) then I can access http://goomba:8888 just fine. But if I do add that line to the .htaccess then I have to add yet another entry to my hosts file to get around it even if I remove that line from the the .htaccess file.
I'm fine with using a different 127.0.0.1 alias (host? what is that called?) but it's bugging me that this is still broken.
Just to be clear, I'm on Mac OS Leopard (but I'm not using the built in Apache setup, but MAMP).
I've had a similar issue a couple times and renaming the file did not work for me. With OS X Lion I found the right configuration is this:
<IfModule php5_module>
AddType application/x-httpd-php .php
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
AddType application/x-httpd-php-source .phps
<IfModule dir_module>
DirectoryIndex index.php index.html
</IfModule>
</IfModule>
The magic that made it work for me is the SetHandler application/x-httpd-php part.
Of course edit the <IfModule php5_module> to your php version.
You are applying a mimetype where a handler should be (see documentation on handlers)
Try this instead:
AddType application/x-httpd-php5 .php
EDIT:
As you have indicated caching modules are loaded, you could read up on caching and htcacheclean (to clear the disk cache). You can also temporarily use the CacheDisable directive. One other thing that you could also try is to rename the file that you have requested (e.g. index.php -> index.bak), request the file again in the browser (should now 404), then revert and try again.
Just note, make sure you don't have a htaccess file from your live environment accidentally downloaded with other files. Additionally, make sure you match your PHP version when editing htaccess. Wrong version cause same issue-wrong settings.
Here is an example for running PHP7:
application/x-httpd-ea-php71 .php .php7 .phtml
I hope this info can help - it happened to me 8 years after ticket is created :)
If someone has again this kind of issue, do something most important firstly. I mean, use private navigation (without cache).
I wasted my time because of this.
GLHF
Perhaps you want application/x-httpd-php5 instead of application/x-httpd-php5s? (Note the lack of an s at the end.)
in my case deleting or comment out "AddHandler php56-cgi .php" in my root's involved htacces files solved it
Best
For the same issue, i removed the '5' AddType application/x-httpd-php .php .htm .html
its working fine! try
I had the same issue and it was because inside this folder you have .htaccess file hidden with some custom code, for me was because I copy from my running website server. Try to rename the file and you will see your project. Then customise the file in your needs.
First check if your apache server is running. Start->Run->cmd and then execute command:
netstat -abn
Lookup the result for line like this:
TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 600 [apache.exe]
If you cant find anything listening on port 8888 ( no 0.0.0.0:8888 line) then your apache is failing to start. To find out why it cant start you should find apache log directory and examine the error.log (may be you have updated your php resently?). If you find 0.0.0.0:80 listening line but some other software is listening there (do you have IIS running?) then you should remove / reconfigure that softure to free port 80. If you have apache listening on port 80 but still cant open your site and you cant figure out what is causing the problem via examining apache log files then it my be database problem. Check if your mysql is running and listening using same command but you should be looking for
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING [mysqld-nt.exe]
If you cant find such line then your mysql server is not running - check mysql log files for errors. If both servers are running and you cant get any output in your browser then check your firewall and antivirus - they may block your requests. Hope this helps ;)
I actually had a very similar issue. All of my php files were downloading when I tried to test if php and apache were working together. It turns out they weren't working together.
I had to uninstall php, I would recomend the same course of action and then reinstalling php just using the zip file download on php.net, instead of installing it with MAMP. I think my problem was that I had used the php installer. I do not recomend using that.
This website helped me a lot, I was having an issue with apache not starting and while that is not your issue, this website solved both the apache not starting and the downloading of php files issue and even though you are on a mac it may help you as well http://forums.phpfreaks.com/topic/185771-problem-starting-apache-2214-after-installing-php-5212
Hope everything works! Good Luck!
Just remove the comment
<IfDefine PHP>
LoadModule php_module modules/libphp.so
</IfDefine>
in etc/extra/httpd-xampp.conf
In my case after cloning a repo and trying to set the project up i hade to run composer update to install the all dependencies and then it open the page instead of downloading the file
I noticed that it's possible to run a file via PHP even if its extension wasn't .php, for example file test.xyz.php.whatever.zyx can be still run with PHP even when the extension isn't .php! It just happens to have .php. in the filename, and that's enough for my Apache to run the PHP script.
I tried (as someone suggested) to put this in a .htaccess file on that folder:
php_flag engine off
But it didn't work on my machine.
The only solutions I know for now are:
Rename to known file extension, which is not run via PHP, such as .txt.
Remove all dots from the filename, thus making it extensionless.
But I'm still not sure how these solutions would work on other servers than my Windows server (with Apache).
Is there any other solutions which doesn't need the filenames to be renamed in any way?
for uploading by users I suggest that you upload a folder in a layer above the root path
in this case Only You Have Access To upload folder( In direct addressing)
and an attacker have not access to any files in this folder
Thus you disable an attacker action to run malicious file
To be completely secure, you'll need to do a couple of things:
Set your upload directory above your "public" folder, making it inaccessible from a browser. This setting is in php.ini (php config file). You'll need to restart Apache for this to take effect. On most Redhat / Fedora / CentOS web servers, this can be:
upload_tmp_dir = "/var/tmp/"
OR, on my local Windows 7 WAMP install, it is set to:
upload_tmp_dir = "c:/wamp/tmp"
Disable scripts from running on that directory (c:/wamp/tmp), in .htaccess:
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off
In your PHP script, get the uploaded file, filter it based on mimetype (not filetype extension), change the filename, and put it into a secured publicly accessible folder. In more detail:
create a whitelist of filetypes, ex: only images (jpeg, png, gif, bmp). This can be done using mime_content_type() http://php.net/manual/en/function.mime-content-type.php or the newer finfo_file() http://us3.php.net/manual/en/function.finfo-file.php
choose a new filename, often it's best to use a random MD5 hash based on the original filename + salt + timestamp.
move it to a public folder, ex: "c:/wamp/www/project_name/public/uploads"
Preferably use an MVC framework, such as Zend Framework, which includes filetype filtering.
If you do all of that, you should be secure. Obviously you'll never be 100% safe, since there are countless obscure exploits targeting PHP, MySQL, the command line, etc, particularly on older systems. On larger company webservers (what I work on), they disable everything, and selectively enable only what is required for the project. With a system such as WAMP, they enable everything, to ease local development.
Good practice for working on a professional project is to get a cloud server account with Rackspace or Amazon, and learn how to configure php.ini, and httpd.conf settings, as well as PHP security best practices. In general, do not trust the users input, expect it to be corrupt / malicious / malformed, and in the end you'll be secure.
First of all you need to understand what happens here:
test.xyz.php.whatever.zyx
Such a file on a webserver on it's own would do nothing. Only added configuration does tell Apache to execute PHP on that file.
So if you remove that added configuration, Apache won't care to find .php in there - be it at the very end or part of a stacked file-extension.
Check which handler you have set for php in your server configuration. Remove it for the upload directory. This then won't resolve any other configuration issues you might have with uploaded files, however PHP files aren't executed by PHP any longer then - which is what you want if I understood you right.
If you've got a problem to find out what this is about, you need to post your PHP configuration in your httpd.conf file and associated Apache HTTPD configuration files for your system.
The directive somebody told you for .htaccess:
php_flag engine off
does only work if you're running PHP as an apache SAPI module.
Instead of php_flag engine off you could remove the handler for PHP files using an .htaccess file for a single directory.
In the directory you are disabling PHP in, your .htaccess should include:
RemoveHandler .php .phtml .php3 .php4 .php5
RemoveType .php .phtml .php3 .php4 .php5
You can likely get away with the below however, depending on which AddHandler types you have configured in your default Apache configuration, which, on windows, should be in C:\Program Files\Apache<version>\conf\httpd.conf
RemoveHandler .php
RemoveType .php
You will also need to ensure that in your main apache configuration file, that the directory containing the .htaccess file is in, is covered by a Directory statement which has AllowOverride FileInfo set. You may wish to consider AllowOverride All if you will be using .htaccess files for other purposes - see the Apache documentation for AllowOverride for an explanation of the differences.
Personally, this is the main reason I no longer upload files to the web server under any circumstances. Instead, I use S3 / Amazon SDK to move the uploaded temp file directly to a bucket on S3 with Private permissions (I use S3, any other CDN will work just as well). If the file needs to be viewed or viewed by a web client, I use a "getter" function of sorts that integrates with the SDK to get the file and display it.
There are just so many uncontrollable variables that come into play whenever you allow any kind of file upload to a web server, it can be difficult to manage permissions, filtering, and even just space. With S3 (or any other CDN), that is all very easy to manage, and all files are effectively quarantined from the server by default.
On Apache you could disable all dynamic handlers for the directory that contains the untrusted files.
SetHandler default-handler
this is not really good answer but hope useful in some special cases ...
you can use mod_rewrite in .htaccess file like this :
RewriteRule ^(.+).xyz.php.whatever.zyx$ index.php?openfile=$1 [NC,L]
and inside your index.php file :
$file = secure_this_string($_GET['openfile']);
include($file.'.xyz.php.whatever.zyx'); # or some other files
remember to see this answer for security reasons StackOverFlow
and in test.xyz.php.whatever.zyx file :
<?php echo 'hello';
now if client requests /test.xyz.php.whatever.zyx file , out put should be 'hello'
A simple regex would do the job
<?php
$a = strtolower($_FILES["file"]["name"]);
$replace = array(".php", ".phtml", ".php3", ".php4", ".php5");
$_FILES["file"]["name"] = str_replace($replace, "", $a);
?>
This works fine on any server
The following .htaccess-code could work and deny access to files containing "php":
<FilesMatch "php">
Deny from all
</FilesMatch>
I could reproduce your issue quite easily on our server. There is a way to fix this, you need to edit /etc/mime.types and comment out lines
#application/x-httpd-php phtml pht php
#application/x-httpd-php-source phps
#application/x-httpd-php3 php3
#application/x-httpd-php3-preprocessed php3p
#application/x-httpd-php4 php4
#application/x-httpd-php5 php5
These lines cause anything with .php in name to be processed.
Once you comment out the entries in mime.types, mod_php config in /etc/apache2/mods-enabled/php5.conf has this entry which correctly only processes files ENDING with .php
<FilesMatch "\.ph(p3?|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
What is REALLY SCARY is that this is a default config (Ubuntu 10.04 in our case).
EDIT
On Windows the mime.types file should be in apache_home/conf/mime.types
I have a Apache server running at Rackspace Cloud Hosting, so I've installed Wordpress manually(setting up the database, wget the latest.zip...) and placed it at /var/www, but now when I try to access it for the first time, it downloads a strange file with the IP as name instead of showing me the Wordpress Installation.
PS: The same happens if I place it on a sub-directory like blog
I think you haven't configured Apache to execute PHP (mod_php?) Right now it's just serving your PHP files like any old file type so what you're getting is your wordpress index.php as a file download.
I'm not sure what the process is for Rackspace, but usually this would mean enabling mod_php.
Do you have any other PHP files that work on that site?
you need to tell Apache to excuate php files. add the following to your Apache configuration file:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .php
make sure PHP module is included in Apache configuration first!
Everything was going great until I added AddHandler application/x-httpd-php5s .php to the .htaccess file in my local server's document root (which I change frequently depending on the site I'm working with). Since I did that when I visit http://localhost:8888 my browser just downloads the index.php and it's not processed at all, just the raw code. Now I removed that line from the .htaccess file but I'm still having this problem.
I've found that if I add an alternative entry to my hosts file for 127.0.0.1 the new entry behaves like 'localhost' used to. But if I add the line above to my .htaccess it knocks out that new host as well. I've tried reinstalling MAMP and clearing its caches and all the temporary files I could find. I surfed through Apache's httpd.conf file all to no avail.
So, to be clear: http://localhost:8888 is experiencing the above problem. If I add a new entry to my hosts file for 127.0.0.1, say 'goomba' and the above line is not in the root .htaccess (and has never been for that host/alias/whatever) then I can access http://goomba:8888 just fine. But if I do add that line to the .htaccess then I have to add yet another entry to my hosts file to get around it even if I remove that line from the the .htaccess file.
I'm fine with using a different 127.0.0.1 alias (host? what is that called?) but it's bugging me that this is still broken.
Just to be clear, I'm on Mac OS Leopard (but I'm not using the built in Apache setup, but MAMP).
I've had a similar issue a couple times and renaming the file did not work for me. With OS X Lion I found the right configuration is this:
<IfModule php5_module>
AddType application/x-httpd-php .php
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
AddType application/x-httpd-php-source .phps
<IfModule dir_module>
DirectoryIndex index.php index.html
</IfModule>
</IfModule>
The magic that made it work for me is the SetHandler application/x-httpd-php part.
Of course edit the <IfModule php5_module> to your php version.
You are applying a mimetype where a handler should be (see documentation on handlers)
Try this instead:
AddType application/x-httpd-php5 .php
EDIT:
As you have indicated caching modules are loaded, you could read up on caching and htcacheclean (to clear the disk cache). You can also temporarily use the CacheDisable directive. One other thing that you could also try is to rename the file that you have requested (e.g. index.php -> index.bak), request the file again in the browser (should now 404), then revert and try again.
Just note, make sure you don't have a htaccess file from your live environment accidentally downloaded with other files. Additionally, make sure you match your PHP version when editing htaccess. Wrong version cause same issue-wrong settings.
Here is an example for running PHP7:
application/x-httpd-ea-php71 .php .php7 .phtml
I hope this info can help - it happened to me 8 years after ticket is created :)
If someone has again this kind of issue, do something most important firstly. I mean, use private navigation (without cache).
I wasted my time because of this.
GLHF
Perhaps you want application/x-httpd-php5 instead of application/x-httpd-php5s? (Note the lack of an s at the end.)
in my case deleting or comment out "AddHandler php56-cgi .php" in my root's involved htacces files solved it
Best
For the same issue, i removed the '5' AddType application/x-httpd-php .php .htm .html
its working fine! try
I had the same issue and it was because inside this folder you have .htaccess file hidden with some custom code, for me was because I copy from my running website server. Try to rename the file and you will see your project. Then customise the file in your needs.
First check if your apache server is running. Start->Run->cmd and then execute command:
netstat -abn
Lookup the result for line like this:
TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 600 [apache.exe]
If you cant find anything listening on port 8888 ( no 0.0.0.0:8888 line) then your apache is failing to start. To find out why it cant start you should find apache log directory and examine the error.log (may be you have updated your php resently?). If you find 0.0.0.0:80 listening line but some other software is listening there (do you have IIS running?) then you should remove / reconfigure that softure to free port 80. If you have apache listening on port 80 but still cant open your site and you cant figure out what is causing the problem via examining apache log files then it my be database problem. Check if your mysql is running and listening using same command but you should be looking for
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING [mysqld-nt.exe]
If you cant find such line then your mysql server is not running - check mysql log files for errors. If both servers are running and you cant get any output in your browser then check your firewall and antivirus - they may block your requests. Hope this helps ;)
I actually had a very similar issue. All of my php files were downloading when I tried to test if php and apache were working together. It turns out they weren't working together.
I had to uninstall php, I would recomend the same course of action and then reinstalling php just using the zip file download on php.net, instead of installing it with MAMP. I think my problem was that I had used the php installer. I do not recomend using that.
This website helped me a lot, I was having an issue with apache not starting and while that is not your issue, this website solved both the apache not starting and the downloading of php files issue and even though you are on a mac it may help you as well http://forums.phpfreaks.com/topic/185771-problem-starting-apache-2214-after-installing-php-5212
Hope everything works! Good Luck!
Just remove the comment
<IfDefine PHP>
LoadModule php_module modules/libphp.so
</IfDefine>
in etc/extra/httpd-xampp.conf
In my case after cloning a repo and trying to set the project up i hade to run composer update to install the all dependencies and then it open the page instead of downloading the file
I'm trying to port a PHP site developed by another coder (who is no longer around) and I'm having a problem with the Apache Rewrite rules which are prompting a file download on the target server. I'm sure this is a simple problem, but I'm having some difficulty Googling an answer. I'm running on a (dedicated) Ubuntu Server with a standard installation of Apache and PHP5 and porting from shared a shared server where everything runs fine. No site files have been altered during the port.
The .htaccess file contains this code (only)
# Use PHP5 as default
AddHandler application/x-httpd-php5 .php
Options -Indexes FollowSymlinks
RewriteEngine on
RewriteRule ^html/(.*) /index.php?init=site\/$1\/$2\/$3\/$4\/$5\/$6\/$7\/$8\/$9
RewriteRule ^mykart$ /index.php?admin=true
RewriteRule ^mykart/$ /index.php?admin=true
RewriteRule ^mykart/(.*)$ /index.php?init=admin\/$1\/$2\/$3\/$4\/$5\/$6\/$7\/$8\/$9&admin=true
When I try to open the file http://www.mysite.com/html/#home the browser attempts to download the (index.php) file instead of displaying it, with the message
"You have chosen to Open
[dialog shows blank space here]
which is a: application/x-httpd-php
from....
"
I guess I must have missed something in either the PHP or Apache configuration, but what?
EDIT: To clarify, the server is running Apache2 and has several, functioning, PHP sites on it. Furthermore if I delete the .htaccess file and run a simple phpinfo display page everything runs fine, so it's not the execution of PHP per see.
I suppose that the MIME type application/x-httpd-php5 is not valid. I’ve tried it on my local machine and it caused the same behavior.
Have you tried application/x-httpd-php instead?
Looks like an Apache config issue, of course I could be wrong. Have you checked httpd.conf for the following lines:
# Add index.php to your DirectoryIndex line:
DirectoryIndex index.html index.php
AddType text/html php
I had a similar issue. Browser attempted to download links from php website, instead of loading them.
It wasn't Php interpreter issue for me, it turned out to be misplaced .htaccess file. However, I didn't realized that disabling the htaccess file solved the issue for hours, due to browser cache.
So, don't forget to clear your browser caches! And restart Apache.