3

I just ‘discovered’ that the developer on my client’s craft website has been migrating his old landing pages to the new setup by cramming the older static pages into the public directory instead of using the CMS.

There are a lot of PHP files there but they are mostly using a PHP mailer setup - not any database queries.

My question is: how dangerous or safe is it to have PHP files in the public directory?

Amit Erandole
  • 338
  • 2
  • 12

2 Answers2

7

As long as the PHP files themselves don't introduce any security holes, having them in your web root is perfectly fine. That's not uncommon at all. How they were written makes all the difference, of course. If you aren't sure whether the developer followed best practices for the security of the mailer scripts, that might be of some concern.

Todd Prouty
  • 270
  • 1
  • 7
3

You should always be careful with PHP source files in a public folder. Typically it's fine, however a small mistake in the server's configuration can lead to big problems. It might cause .php files not to be processed by PHP, leading to leaked source files.

This famously happened with Facebook in 2007.

Arnold Daniels
  • 131
  • 3
  • The php files actually have no connection whatsoever with the CMS. Does that make it better? – Amit Erandole Aug 03 '16 at 14:44
  • The source files might show credentials like passwords and secret keys. They may also expose exploits a hacker can use one the configuration has been restored. It's not uncommon that custom scripts have some security exploids. However these are often hard to identify without access to the source code. – Arnold Daniels Aug 04 '16 at 10:41