NetWebClient problem downloading index.php

[ViggoPoulsen]

Hi

At my site ( www.vipilon.dk ) I have a index.php. I want to download the exact content of this file.

The content is:

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>

But this seems to be impossible for me. When using Fetch (and with Redirect off ) I get a status instead of the contents. Anything I can do ?

Best regards
Viggo Poulsen

[Bruce]

Hi Viggo,

the short answer is "no".
What is happening is something like this;

Browser-to-Server: Please send me "file" index.php

Server thinks: hmm php, well I know how to serve that, I load the file, pass it to my php engine, and take the result and send it back to the browser.

Server-to-browser: Here is index.php

Browser - that's not what I want, I want the "raw" file called index.php _before_ you pass it to the php engine.

Server : Sorry but I _always_ pass .php files to the php engine before serving.

--------------------

When you think about it, this is completely correct. PHP files contain "Server side code". This code contains SQL login parameters, passwords and so on. You (almost) never want random users to simply ask your server for the "raw" php.

So what to do?
Well, one option of course, is to run a NetTalk server - with PHP turned _off_ on the same machine, perhaps on a different port. It'll happily ignore the "meaning" of PHP and simply serve you the raw text if you like. (Of course this makes your _source_ code available to _anyone_ - not perhaps what you have in mind.)

An alternate is to store the index.php as index.php, but say a copy as index.raw. You can fetch index.raw without it going through the php engine (I think) unless the server is passing _everything_ to the php engine. If everything is going to the php engine then you'd need to make php.raw not-a-text-file - for example zipped.

cheers
Bruce

[ViggoPoulsen]

Hi Bruce
Thank you for the explanation, it makes sense.
I have had my first attack on my sites, replacing index.php with another file containing something I surtainly cannot accept. So I thought 'Well, I just use Nettalk, download index.php and compare it with the version it should be. Add a timer and check often. Then I know if it happens again".
Maby I should allow a redirection so it will be my frontpage I receive, then I can check if surtain things are shown (the hacked index.php did not redirect to the page normally shown). hmmm, something to think about.

Best regards
Viggo Poulsen.

[Bruce]

You make it sounds as though having a page on your server replaced is normal and acceptable?
Hopefully you know how they managed it, and you've closed the hole?

cheers
Bruce

[ViggoPoulsen]

No, it is absolutely unacceptable, and I am working on finding and closing the hole. But I also know that it is a never ending story, and some day there may come a new attach, taking advantage of a module in Wordpress, something in prestashop or something totally different. So I find it better to be prepared for the unknown, hoping never to need it.

Best regards
Viggo